From 049e882c359f1480ec3cb492a63a95eaf2efe6d1 Mon Sep 17 00:00:00 2001
From: hendrik1120 <89412959+hendrik1120@users.noreply.github.com>
Date: Fri, 7 Mar 2025 11:41:52 +0100
Subject: [PATCH] docs(readme): clarify password change permission for admin
 users

---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 5f88377..abee137 100644
--- a/README.md
+++ b/README.md
@@ -558,7 +558,9 @@ filter like: `(memberOf=cn=admins,ou=groups,dc=example,dc=com)`.
 The administrator group for LLDAP is `lldap_admin`: anyone in this group has
 admin rights in the Web UI. Most LDAP integrations should instead use a user in
 the `lldap_strict_readonly` or `lldap_password_manager` group, to avoid granting full
-administration access to many services.
+administration access to many services. To prevent privilege escalation users in the
+`lldap_password_manager` group are not allowed to change passwords of admins in the
+`lldap_admin` group.
 
 ### Integration with OS's