From 3492d6e3de55486e32e474b24688b4dc92b8c812 Mon Sep 17 00:00:00 2001
From: Mark Craig <mark.craig@forgerock.com>
Date: Thu, 06 Mar 2014 08:39:57 +0000
Subject: [PATCH] Backport CR-3141 Fix for OPENDJ-1364: Clarify how OpenDJ interprets who requests an LDAP Password Modify extended operation
---
opends/src/main/docbkx/admin-guide/chap-ldap-operations.xml | 54 +++++++++++++++++++++++++++++++++++++++++-------------
1 files changed, 41 insertions(+), 13 deletions(-)
diff --git a/opends/src/main/docbkx/admin-guide/chap-ldap-operations.xml b/opends/src/main/docbkx/admin-guide/chap-ldap-operations.xml
index a9ce3a1..31b7c3e 100644
--- a/opends/src/main/docbkx/admin-guide/chap-ldap-operations.xml
+++ b/opends/src/main/docbkx/admin-guide/chap-ldap-operations.xml
@@ -20,13 +20,14 @@
!
! CCPL HEADER END
!
- ! Copyright 2011-2013 ForgeRock AS
+ ! Copyright 2011-2014 ForgeRock AS
!
-->
<chapter xml:id='chap-ldap-operations'
xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
- xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
+ xsi:schemaLocation='http://docbook.org/ns/docbook
+ http://docbook.org/xml/5.0/xsd/docbook.xsd'
xmlns:xlink='http://www.w3.org/1999/xlink'
xmlns:xinclude='http://www.w3.org/2001/XInclude'>
<title>Performing LDAP Operations</title>
@@ -962,17 +963,44 @@
The LDAP password modify operation was successful</screen>
<tip>
- <para>Whenever one user changes another user's password, OpenDJ considers
- it a password reset. That often means the user has to change her password
- again after the reset.</para>
- <para>If you want your application to change a user's password, rather
- than reset a user's password, have your application request the password
- change as the user whose password is changing. To change the password as
- the user, either bind as the user or use proxied authorization. For
- instructions on the latter, see the section on <link
- xlink:href="admin-guide#proxied-authz"
- xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Configuring
- Proxied Authorization</citetitle></link>.</para>
+ <para>
+ The <command>ldappasswordmodify</command> command uses
+ the LDAP Password Modify extended operation.
+ If this extended operation is performed on a connection
+ that is already associated with a user
+ —in other words, when a user first does a bind on the connection,
+ and then requests the LDAP Password Modify extended operation—
+ then the operation is performed as the user associated with the connection.
+ If the user associated with the connection
+ is not the user whose password is being changed,
+ then OpenDJ considers it a password reset.
+ </para>
+
+ <para>
+ Whenever one user changes another user's password,
+ OpenDJ considers it a password reset.
+ Often password policies specify that users
+ must change their passwords again after a password reset.
+ </para>
+
+ <para>
+ If you want your application to change a user's password,
+ rather than reset a user's password,
+ have your application request the password change
+ as the user whose password is changing.
+ </para>
+
+ <para>
+ To change the password as the user, you can
+ bind as the user whose password should be changed,
+ use the LDAP Password Modify extended operation
+ with an authorization ID but without performing a bind,
+ or use proxied authorization.
+ For instructions on using proxied authorization, see the section on
+ <link xlink:href="admin-guide#proxied-authz"
+ xlink:role="http://docbook.org/xlink/role/olink"
+ ><citetitle>Configuring Proxied Authorization</citetitle></link>.
+ </para>
</tip>
<para>You could also accomplish password reset with the following command,
--
Gitblit v1.10.0