Is any other third Party tool available
in market?
Regards
Support Team.
From:
"Michael Ströder" <michael@stroeder.com>
To:
openldap-technical@openldap.org, Christian
Kratzer <ck-lists@cksoft.de>
Date:
06/05/2013 03:20 PM
Subject:
Re: Possible ppolicy override for other
than rootDN
On Wed, 5 Jun 2013 10:57:10 +0200 (CEST) Christian
Kratzer <ck-lists@cksoft.de>
wrote
> We have a customer setup where the corporate identity management applications
> provisions users to the directory, resets their passwords etc...
>
> The tool binds as a specific user and we permit write access to appropriate
> subtress via an acl.
>
> The customer also uses password policy to enforce policy in ldap.
>
> The problem we have is that the idm tool is obivously also subject
to the
> pwdMinAge and pwdSafeModify policies. The tool never stores
a users password
> so when pwdSafeModify is in effect it cannot provide the old password
to
> satisfy the policy. It obviously also cannot reset the password
until
> pwdMinAge has elapsed.
>
> Giving the rootDN credentials to the tool is also not an option as
we would
> like to keep audit logs clean and have the acl in place to stop the
tool from
> writing all over the place.
>
> So we would like to override password policy for the idm tools bind
user
> similarly as the rootDN is already able to bypass policy.
If it's not already implemented I'd recommend this feature request:
1. limit such a write operation to a user which has 'manage' access to
the
attributes and
2. enable overriding only if the client sends Relax Rules Control along
with
the LDAP write request.
Ciao, Michael.
VERNALIS SYSTEMS EMAIL NOTICE
-----------------------------
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or telephone and delete the original message from your mail system.