.TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2009 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2011 The OpenLDAP Foundation All Rights Reserved.
.\" Copying restrictions apply. See COPYRIGHT/LICENSE.
.\" $OpenLDAP$
.SH NAME
allowed to change their own passwords. If its value is "FALSE",
users will not be allowed to change their own passwords.
.LP
+Note: this implies that when
+.B pwdAllowUserChange
+is set to "TRUE",
+users will still be able to change the password of another user,
+subjected to access control.
+This restriction only applies to modifications of ones's own password.
+It should also be noted that
+.B pwdAllowUserChange
+was defined in the specification to provide rough access control
+to the password attribute in implementations that do not allow fine-grain
+access control.
+Since OpenLDAP provides fine-grain access control, the use of this attribute
+is discouraged; ACLs should be used instead
+(see
+.BR slapd.access (5)
+for details).
+.LP
.RS 4
( 1.3.6.1.4.1.42.2.27.8.1.14
NAME 'pwdAllowUserChange'
authenticate the user to the directory. If
.B pwdAccountLockedTime
is set to 000001010000Z, the user's account has been permanently locked
-and may only be unlocked by an administrator.
+and may only be unlocked by an administrator. Note that account locking
+only takes effect when the
+.B pwdLockout
+password policy attribute is set to "TRUE".
.LP
.RS 4
( 1.3.6.1.4.1.42.2.27.8.1.17
projects / openldap / blobdiff