[Issue 9740] olcPPolicyCheckModule not working in 2.6.0

On Mon, Nov 08, 2021 at 02:51:43PM +0000, openldap-its(a)openldap.org wrote: >> - you are not using pwdUseCheckModule - the module configured will not >> actually be used even if dealing with plaintext passwords > > Yes, it seems working with this parameter set inside the default policy! > > I did'nt understand this parameter fully at first instance. > > This parameter is quite new, isn't it? (specific to 2.6 release?) IMO it is > actually a big step in migration process. Maybe can you add this in the > migration steps from 2.5 to 2.6. (it does not seem to be documented here for > example: https://www.openldap.org/doc/admin26/guide.html#Migration) Yes and it has been documented in the upgrading section. How about these changes to the admin guide: https://git.openldap.org/openldap/openldap/-/merge_requests/440 >> That's already documented here: >> https://git.openldap.org/openldap/openldap/-/blob/master/doc/man/man5/sla... >> >> Could you suggest any improvements to address whatever other confusion >> you think exists? > > The extended module is described at multiple places in the manual. Maybe quote > each time the minimum essential parameters implicated in the process? > ie: > - olcPPolicyCheckModule > - pwdUseCheckModule > - pwdCheckModuleArg The manpage is long enough even before we start duplicating things unnecessarily. Trying to add in what you mention, I found everything was already in the places I thought it was relevant and the links were mostly there to link the concepts. The existence of this ITS suggests you disagree, please suggest a different approach. Also note that it's up to the actual module whether pwdCheckModuleArg is needed or not. As such we can only suggest what to do with it. > The first occurrence where it is missing is for example: > > ppolicy_check_module <path> > Specify the path of a loadable module containing a > check_password() function for additional password quality checks. The use of > this module is described further below in the description of the > pwdPolicyChecker > objectclass. "The use of this module is described further below in the description of the pwdPolicyChecker objectclass." Is there anything about this sentence that should be changed to make it clearer after taking into account the change proposed in MR!441[0]. [0]. https://git.openldap.org/openldap/openldap/-/merge_requests/441 Thanks,