[Issue 9671] pwdPolicySubentry: no user modification allowed
https://bugs.openldap.org/show_bug.cgi?id=9671
--- Comment #6 from Ondřej Kuzník <ondra(a)mistotebe.net> ---
On Wed, Sep 08, 2021 at 09:52:49AM +0000, openldap-its(a)openldap.org wrote:
--- Comment #4 from Michael Ströder <michael(a)stroeder.com> ---
(In reply to Ondřej Kuzník from comment #3)
> I've already had to
> make changes to the local version where things were omitted:
> https://git.openldap.org/openldap/openldap/-/commit/
> 2b007d01dbd924cf11f88c2f8dbba26b5ba8b593
Hmm, not sure whether that leads to more interoperability.
> Sounds like adding manage permissions on the attribute (and maybe the
> "entry" attribute) could be a targeted way of allowing this operation?
I strongly dislike having to use the Relax Rules control to let the admin
change pwdPolicySubentry. IMO this control must only be used in exceptional
administrative use-cases. I have a very strong opinion on this.
In my local OpenLDAP 2.5.x builds I now simply remove NO-USER-MODIFICATION.
Ideally I'd prefer not having to deal with pwdPolicySubentry at all. But until
ITS#9343 is implemented NO-USER-MODIFICATION should be removed.
Another solution would be to have a separate attribute fooPasswordPolicy (or
whatever name you'd prefer) for overriding per entry the computed
pwdPolicySubentry. It also allows to always compute the effective
pwdPolicySubentry including applying defaults. This is the approach at least
one other LDAP server implements.
That sounds like something we might be able to pursue as it's a viable
reading of the draft. It would need a database reload with the attribute
renamed so not something I can see us doing before 2.7 (it's too late
for 2.6 now), we could do this alongside ITS#9343.
That means we still have to decide whether the pwdPolicySubentry status
should be reverted back and in which release.
Regards,
--
You are receiving this mail because:
You are on the CC list for the issue.