docs(readme): clarify password change permission for admin users

2026-03-31 15:07:48 +01:00 · 2025-03-07 11:41:52 +01:00
parent f5f3091313
commit 049e882c35
1 changed files with 3 additions and 1 deletions
@@ -558,7 +558,9 @@ filter like: `(memberOf=cn=admins,ou=groups,dc=example,dc=com)`.
 The administrator group for LLDAP is `lldap_admin`: anyone in this group has
 admin rights in the Web UI. Most LDAP integrations should instead use a user in
 the `lldap_strict_readonly` or `lldap_password_manager` group, to avoid granting full
-administration access to many services.
+administration access to many services. To prevent privilege escalation users in the
+`lldap_password_manager` group are not allowed to change passwords of admins in the
+`lldap_admin` group.

 ### Integration with OS's