https://bugs.openldap.org/show_bug.cgi?id=9343
Issue ID: 9343 Summary: Expand ppolicy policy configuration to allow URL filter Product: OpenLDAP Version: 2.5 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: quanah@openldap.org Target Milestone: ---
Currently, ppolicy only supports a single global default policy, and past that any policies must be manually added to a given user entry if they are supposed to have something other than the default policy.
Also, some sites want no default policy, and only a specific subset to have a policy applied to them.
For both of these cases, it would be helpful if it were possible to configure a policy to apply to a set of users via a URL similar to the way we handle creating groups of users in dynlist
https://bugs.openldap.org/show_bug.cgi?id=9343
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement
https://bugs.openldap.org/show_bug.cgi?id=9343
--- Comment #1 from Michael Ströder michael@stroeder.com --- Where's the up-vote button? ;-)
Reads: I'd appreciate this feature very much.
https://bugs.openldap.org/show_bug.cgi?id=9343
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.1
https://bugs.openldap.org/show_bug.cgi?id=9343
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.5.1 |2.5.3
https://bugs.openldap.org/show_bug.cgi?id=9343
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.5.3 |2.6.0
https://bugs.openldap.org/show_bug.cgi?id=9343
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.6.0 |2.7.0
https://bugs.openldap.org/show_bug.cgi?id=9343
--- Comment #2 from Mehmet gelisin mehmetgelisin@aol.com --- Enabling the Netscape password policy controls in the ppolicy10 module provides a suitable workaround for many applications. For cases where that is not an http://www-look-4.com/ acceptable workaround, ACLs can be set up to permit attribute access techniques
This ITS can be suspended in case further needs arise to support client applications that depended on specific ppoilicy8 behavior. http://www.compilatori.com/ Enabling the Netscape password policy controls in the ppolicy10 module provides a suitable workaround for many applications. For cases where that is not an http://www.wearelondonmade.com/ acceptable workaround, ACLs can be set up to permit attribute access techniques
This ITS can be suspended in case further needs arise http://www.jopspeech.com/ to support client applications that depended on specific ppoilicy8 behavior.
Enabling the Netscape password policy controls in http://joerg.li/ the ppolicy10 module provides a suitable workaround for many applications. For cases where that is not an acceptable workaround, ACLs can be set up to permit attribute access techniques http://connstr.net/
This ITS can be suspended in case further needs arise to support client applications that depended on specific ppoilicy8 behavior. http://embermanchester.uk/
ppolicy only supports a single global default policy, and past that any policies must be manually added to a given user entry if they are supposed to have something other than the default policy. http://www.slipstone.co.uk/
Also, some sites want no default policy, and only a specific subset to have a policy applied to them. http://www.logoarts.co.uk/
For both of these cases, it would be helpful if it were possible to configure a policy to apply to a set of users via a URL similar to the way we handle creating groups of users http://www.acpirateradio.co.uk/
specifies these requirements e.g. in 4.2.6 [0], just that ppolicy never implemented them. Also an application can: - have its identity set to "manage"/"write" accordingly so it is/not considered "password administrator" in the eyes of the draft https://waytowhatsnext.com/ - write the relevant attributes (pwdReset, ...) in the same operation overriding the defaults
Requiring the application to use the relax control to change certain attributes is not reversible AFAIK, which is why this was not done in 2.4... https://www.webb-dev.co.uk/
Should we need to change any of this, we need to
specifies these requirements e.g. in 4.2.6 [0], just that ppolicy never implemented them. Also an application can: - have its identity set to "manage"/"write" accordingly so it is/not considered "password administrator" in the eyes of the draft - write the relevant attributes (pwdReset, ...) in the same operation overriding the defaults
Requiring the application to use the relax control to change certain attributes is not reversible AFAIK, which is why this was not done in 2.4... http://www.iu-bloomington.com/
Should we need to change any of this, we need to
https://bugs.openldap.org/show_bug.cgi?id=9343
--- Comment #3 from David Coutadeur david.coutadeur@gmail.com --- +1 for this feature!
A user-selecting function like dynlist would be interesting, but not sure it could cover all use-cases? For example, a simple use case would be to bind a policy to every user in a particular group, with no memberOf-like feature enabled.
In another hand, maybe having a user-selecting function more like an ACL / acl-set would be overkill...
https://bugs.openldap.org/show_bug.cgi?id=9343
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #4 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • 1fac13d2 by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Let backend_attribute read operational attributes
back-mdb checks requested attribute is present in the entry which can obstruct the fallback to backend_operational.
• 950ff8a5 by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Allow a list of default policies
• db9da051 by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Provide effective value of pwdPolicySubentry
• 6a903a8c by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Switch ppolicy_get to rely on ppolicy_operational
• fbfb5454 by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Allow Compare to check pwdPolicySubentry
• 646d0c1b by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9497 Detect timing issues when they affect test
https://bugs.openldap.org/show_bug.cgi?id=9343
--- Comment #5 from Ondřej Kuzník ondra@mistotebe.net --- OK, discussing other usecases, just having a URL to select policies by isn't going to do it: e.g. group membership can't be tested by a filter at this level.
Given that the range of options is too large, we might as well adopt a slapd.access(5)-like approach to configuration, with only filter= and group= being implemented for now.
https://bugs.openldap.org/show_bug.cgi?id=9343
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.openldap.org/s | |how_bug.cgi?id=9813
https://bugs.openldap.org/show_bug.cgi?id=9343
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CONFIRMED Ever confirmed|0 |1 Resolution|FIXED |---
https://bugs.openldap.org/show_bug.cgi?id=9343
Ondřej Kuzník ondra@mistotebe.net changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS
https://bugs.openldap.org/show_bug.cgi?id=9343
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED
-
openldap-its@openldap.org