https://bugs.openldap.org/show_bug.cgi?id=9343 Quanah Gibson-Mount <quanah(a)openldap.org&gt; changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |enhancement -- You are receiving this mail because: You are on the CC list for the issue.

https://bugs.openldap.org/show_bug.cgi?id=9343 Quanah Gibson-Mount <quanah(a)openldap.org&gt; changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.1 -- You are receiving this mail because: You are on the CC list for the issue.

https://bugs.openldap.org/show_bug.cgi?id=9343 Quanah Gibson-Mount <quanah(a)openldap.org&gt; changed: What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.5.3 |2.6.0 -- You are receiving this mail because: You are on the CC list for the issue.

https://bugs.openldap.org/show_bug.cgi?id=9343 --- Comment #2 from Mehmet gelisin <mehmetgelisin(a)aol.com&gt; --- Enabling the Netscape password policy controls in the ppolicy10 module provides a suitable workaround for many applications. For cases where that is not an http://www-look-4.com/ acceptable workaround, ACLs can be set up to permit attribute access techniques This ITS can be suspended in case further needs arise to support client applications that depended on specific ppoilicy8 behavior. http://www.compilatori.com/ Enabling the Netscape password policy controls in the ppolicy10 module provides a suitable workaround for many applications. For cases where that is not an http://www.wearelondonmade.com/ acceptable workaround, ACLs can be set up to permit attribute access techniques This ITS can be suspended in case further needs arise http://www.jopspeech.com/ to support client applications that depended on specific ppoilicy8 behavior. Enabling the Netscape password policy controls in http://joerg.li/ the ppolicy10 module provides a suitable workaround for many applications. For cases where that is not an acceptable workaround, ACLs can be set up to permit attribute access techniques http://connstr.net/ This ITS can be suspended in case further needs arise to support client applications that depended on specific ppoilicy8 behavior. http://embermanchester.uk/ ppolicy only supports a single global default policy, and past that any policies must be manually added to a given user entry if they are supposed to have something other than the default policy. http://www.slipstone.co.uk/ Also, some sites want no default policy, and only a specific subset to have a policy applied to them. http://www.logoarts.co.uk/ For both of these cases, it would be helpful if it were possible to configure a policy to apply to a set of users via a URL similar to the way we handle creating groups of users http://www.acpirateradio.co.uk/ specifies these requirements e.g. in 4.2.6 [0], just that ppolicy never implemented them. Also an application can: - have its identity set to "manage"/"write" accordingly so it is/not considered "password administrator" in the eyes of the draft https://waytowhatsnext.com/ - write the relevant attributes (pwdReset, ...) in the same operation overriding the defaults Requiring the application to use the relax control to change certain attributes is not reversible AFAIK, which is why this was not done in 2.4... https://www.webb-dev.co.uk/ Should we need to change any of this, we need to specifies these requirements e.g. in 4.2.6 [0], just that ppolicy never implemented them. Also an application can: - have its identity set to "manage"/"write" accordingly so it is/not considered "password administrator" in the eyes of the draft - write the relevant attributes (pwdReset, ...) in the same operation overriding the defaults Requiring the application to use the relax control to change certain attributes is not reversible AFAIK, which is why this was not done in 2.4... http://www.iu-bloomington.com/ Should we need to change any of this, we need to -- You are receiving this mail because: You are on the CC list for the issue.

https://bugs.openldap.org/show_bug.cgi?id=9343 Quanah Gibson-Mount <quanah(a)openldap.org&gt; changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED --- Comment #4 from Quanah Gibson-Mount <quanah(a)openldap.org&gt; --- Commits: • 1fac13d2 by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Let backend_attribute read operational attributes back-mdb checks requested attribute is present in the entry which can obstruct the fallback to backend_operational. • 950ff8a5 by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Allow a list of default policies • db9da051 by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Provide effective value of pwdPolicySubentry • 6a903a8c by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Switch ppolicy_get to rely on ppolicy_operational • fbfb5454 by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Allow Compare to check pwdPolicySubentry • 646d0c1b by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9497 Detect timing issues when they affect test -- You are receiving this mail because: You are on the CC list for the issue.

https://bugs.openldap.org/show_bug.cgi?id=9343 Ondřej Kuzník <ondra(a)mistotebe.net&gt; changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CONFIRMED |IN_PROGRESS -- You are receiving this mail because: You are on the CC list for the issue.

https://bugs.openldap.org/show_bug.cgi?id=9343 Ondřej Kuzník <ondra(a)mistotebe.net&gt; changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CONFIRMED Ever confirmed|0 |1 Resolution|FIXED |--- -- You are receiving this mail because: You are on the CC list for the issue.