Aravind Gottipati wrote:
Hi,
This thread has been dead for some time now. Here is the link to the original thread and all the follow-up discussion (http://www.openldap.org/lists/openldap-software/200901/msg00147.html). An ITS request (5911) was in place for the feature (looks like its been closed since), Howard had suggested that these requests generally get worked on as and when folks have time to implement them.
I closed that ITS because we viewed it as a security liability, not as a feature worthy of implementing. I think that conclusion was already clear from the earlier mailing list discussion.
In this case, we've done a fair bit of tweaks in the ppolicy code recently. Your suggestions were not missed due to lack of time, they were rejected due to lack of technical merit.
We (at Mozilla) needed this feature to better support users in-house, so we contracted the development out to Zytrax. I am happy to inform you that this code is now ready and works for us on both 2.4.13 and 2.4.16. Here is the link (http://www.zytrax.com/books/ldap/ch6/ppolicy.html) to the documentation from Zytrax about how this feature works and also contains links to download the code. I am not sure how we'd go about getting this code integrated into mainline OpenLDAP, but we would love for this code to be a part of the regular OpenLDAP releases. This code plays nice with existing setups in that its features are turned off by default and it behaves exactly as the original ppolicy module does.
Generally, we implement features according to the published specs. If you believe this feature is valuable, you should push to have it included in the next version of the ppolicy draft. I've been pushing for a few additions recently as well.
http://www.openldap.org/lists/ietf-ldapext/200907/msg00001.html
Please let me know if you have any questions about how this works or if there are other concerns about including this in regular OpenLDAP software releases.
Follow the Contributing guidelines if you want the code considered for inclusion. Of course since folks at Zytrax are the actual authors, they're the ones who will have to do the actual submission.
http://www.openldap.org/devel/contributing.html
But again, nothing is going to happen without buy-in from other reviewers and adoption into the published draft. I suspect that in its current form, no one is going to back this idea though because it is fundamentally unsound.