https://bugs.openldap.org/show_bug.cgi?id=9740
--- Comment #8 from David Coutadeur david.coutadeur@gmail.com --- (In reply to Ondřej Kuzník from comment #5)
On Mon, Nov 08, 2021 at 02:51:43PM +0000, openldap-its@openldap.org wrote:
- you are not using pwdUseCheckModule - the module configured will not actually be used even if dealing with plaintext passwords
Yes, it seems working with this parameter set inside the default policy!
I did'nt understand this parameter fully at first instance.
This parameter is quite new, isn't it? (specific to 2.6 release?) IMO it is actually a big step in migration process. Maybe can you add this in the migration steps from 2.5 to 2.6. (it does not seem to be documented here for example: https://www.openldap.org/doc/admin26/guide.html#Migration)
Yes and it has been documented in the upgrading section. How about these changes to the admin guide: https://git.openldap.org/openldap/openldap/-/merge_requests/440
That's already documented here: https://git.openldap.org/openldap/openldap/-/blob/master/doc/man/man5/slapo-...
Could you suggest any improvements to address whatever other confusion you think exists?
The extended module is described at multiple places in the manual. Maybe quote each time the minimum essential parameters implicated in the process? ie:
- olcPPolicyCheckModule
- pwdUseCheckModule
- pwdCheckModuleArg
The manpage is long enough even before we start duplicating things unnecessarily. Trying to add in what you mention, I found everything was already in the places I thought it was relevant and the links were mostly there to link the concepts. The existence of this ITS suggests you disagree, please suggest a different approach.
Also note that it's up to the actual module whether pwdCheckModuleArg is needed or not. As such we can only suggest what to do with it.
The first occurrence where it is missing is for example:
ppolicy_check_module <path> Specify the path of a loadable module containing acheck_password() function for additional password quality checks. The use of this module is described further below in the description of the pwdPolicyChecker objectclass.
"The use of this module is described further below in the description of the pwdPolicyChecker objectclass."
Is there anything about this sentence that should be changed to make it clearer after taking into account the change proposed in MR!441[0].
[0]. https://git.openldap.org/openldap/openldap/-/merge_requests/441
Thanks,
Hi,
Sorry for the late answer.
I have read again the last version of slapo-ppolicy man page.
Everything seems ok : each section is linked to each other.
The attributes section (pwdUseCheckModule/pwdCheckModuleArg) defines all attributes at the same place and show how they work together.
Thanks for the fix about the upgrade notes.
Regards