Full_Name: Matthieu Cerda Version: 2.4.40 OS: Debian jessie URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (194.213.124.6)

Hello !

As per http://www.openldap.org/lists/openldap-technical/201701/msg00017.html I would like to submit a small improvement to the slapo-ppolicy manpage to clarify rootdn presence / absence implications in a ppolicy enabled setup.

Here is the patch (I thing it's short enough not to justify a separate upload):

---8<---

From c6c03415e73fe762ee8f77d3e3cad97834913d00 Mon Sep 17 00:00:00 2001

From: Matthieu Cerda matthieu.cerda@nbs-system.com Date: Tue, 3 Jan 2017 14:45:37 +0100 Subject: [PATCH] Clarify slapo-ppolicy manpage about rootdn absence possible consequences

--- doc/man/man5/slapo-ppolicy.5 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5 index 8306f9761..6d3edb9c4 100644 --- a/doc/man/man5/slapo-ppolicy.5 +++ b/doc/man/man5/slapo-ppolicy.5 @@ -28,7 +28,12 @@ Note that some of the policies do not take effect when the operation is performed with the .B rootdn identity; all the operations, when performed with any other identity, -may be subjected to constraints, like access control. +may be subjected to constraints, like access control. It means that +not defining a +.B rootdn +in your configuration is likely to lead to undesirable behavior (like +account locking using pwdLockout not working properly) unless you have +appropriate access control entries. .P Note that the IETF Password Policy proposal for LDAP makes sense when considering a single-valued password attribute, while