masarati@aero.polimi.it wrote:
Then the patch is trivial: [..] If there's consensus, I'll commit it.
Seems like a pointless change. You must set ACLs for this type of modification to be allowed. Since you must set ACLs anyway, there is no good reason to use the pwdAllowUserChange policy setting in the first place. In general the pwdAllowUserChange option is only useful on systems that do not already provide fine grained access controls.
Agree (see my previous message). For this purpose, I suggest to add, in slapo-ppolicy(5), a comment about discouraging the use of pwdAllowUserChange since OpenLDAP provides fine-grain ACLs.
I already knew that this can be achieved by ACLs but...
OpenLDAP should behave as stated in the ppolicy spec and the man-pages.
sometimes it'd be more handy to use this flag in an already existing
pwdPolicy entry than defining additional ACLs.
Since this patch seems so trivial why not commit it?
The patch is the result of my reading in 5 minutes a single portion of a spec I read in detail years ago, so my interpretation could not be the most correct. Since Howard implemented slapo-ppolicy(5), I believe his interpretation of the spec is more accurate. The fact that he interprets this flag as a complete replacement of ACLs on systems where they are not granular enough lets me think that its behavior should be broader (i.e. apply to all users) rather than strictly sticking to the word (i.e. apply to self only).
That's why I'm seeking consensus before committing a patch (that could be harmful, as the current behavior of slapo-ppolicy(5) makes this flag work as a complete alternative to ACLs, while the new behavior, not complemented by appropriate ACLs, could allow anybody but self to change the pwd).
p.
-
masaratiļ¼ aero.polimi.it