On 06/16/2016 11:45 AM, Michael Ströder wrote:
The caveat with reading cn=config is that you might not be allowed doing so. One would need fine-grained read ACLs to avoid e.g. revealing the rootpw hash to an application. Well, on my systems there is no rootpw hash but you get the idea.
Yes. That's exactly my concern. I do not like the idea of letting ordinary LDAP clients access cn=config at all. So, it looks like there is currently no good solution for this.
AFAIK other LDAP servers (e.g. OpenDJ) has two operational attributes:
- 'pwdPolicySubentry' is set in every entry and therefore always points to the
effective (default) pwdPolicy entry.
- Another attribute (IIRC 'ds-pwp-password-policy-dn') is for setting an
individual pwdPolicy entry to be used for a particular entry overriding the default value.
I'd love to see something like this standardized and implemented in OpenLDAP.
I completely agree with that.