https://bugs.openldap.org/show_bug.cgi?id=9671
--- Comment #6 from Ondřej Kuzník ondra@mistotebe.net --- On Wed, Sep 08, 2021 at 09:52:49AM +0000, openldap-its@openldap.org wrote:
--- Comment #4 from Michael Ströder michael@stroeder.com --- (In reply to Ondřej Kuzník from comment #3)
I've already had to make changes to the local version where things were omitted: https://git.openldap.org/openldap/openldap/-/commit/ 2b007d01dbd924cf11f88c2f8dbba26b5ba8b593
Hmm, not sure whether that leads to more interoperability.
Sounds like adding manage permissions on the attribute (and maybe the "entry" attribute) could be a targeted way of allowing this operation?
I strongly dislike having to use the Relax Rules control to let the admin change pwdPolicySubentry. IMO this control must only be used in exceptional administrative use-cases. I have a very strong opinion on this.
In my local OpenLDAP 2.5.x builds I now simply remove NO-USER-MODIFICATION.
Ideally I'd prefer not having to deal with pwdPolicySubentry at all. But until ITS#9343 is implemented NO-USER-MODIFICATION should be removed.
Another solution would be to have a separate attribute fooPasswordPolicy (or whatever name you'd prefer) for overriding per entry the computed pwdPolicySubentry. It also allows to always compute the effective pwdPolicySubentry including applying defaults. This is the approach at least one other LDAP server implements.
That sounds like something we might be able to pursue as it's a viable reading of the draft. It would need a database reload with the attribute renamed so not something I can see us doing before 2.7 (it's too late for 2.6 now), we could do this alongside ITS#9343.
That means we still have to decide whether the pwdPolicySubentry status should be reverted back and in which release.
Regards,