Merge remote branch 'origin/mdb.master'

[openldap] / doc / man / man5 / slapo-ppolicy.5

diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5
index af96b8d76252d7b9b5127c14f5b582cf1a9dcc87..c0bf32fe5942758819e7afd66f62599350901a59 100644 (file)
--- a/doc/man/man5/slapo-ppolicy.5
+++ b/doc/man/man5/slapo-ppolicy.5
@@ -1,5 +1,5 @@
 .TH SLAPO_PPOLICY 5 "RELEASEDATE" "OpenLDAP LDVERSION"
-.\" Copyright 2004-2009 The OpenLDAP Foundation All Rights Reserved.
+.\" Copyright 2004-2011 The OpenLDAP Foundation All Rights Reserved.
 .\" Copying restrictions apply.  See COPYRIGHT/LICENSE.
 .\" $OpenLDAP$
 .SH NAME
@@ -414,6 +414,23 @@ is set to "TRUE", or if the attribute is not present, users will be
 allowed to change their own passwords.  If its value is "FALSE",
 users will not be allowed to change their own passwords.
 .LP
+Note: this implies that when
+.B pwdAllowUserChange
+is set to "TRUE",
+users will still be able to change the password of another user,
+subjected to access control.
+This restriction only applies to modifications of ones's own password.
+It should also be noted that
+.B pwdAllowUserChange
+was defined in the specification to provide rough access control
+to the password attribute in implementations that do not allow fine-grain
+access control.
+Since OpenLDAP provides fine-grain access control, the use of this attribute
+is discouraged; ACLs should be used instead
+(see
+.BR slapd.access (5)
+for details).
+.LP
 .RS 4
 (  1.3.6.1.4.1.42.2.27.8.1.14
    NAME 'pwdAllowUserChange'