On Wed, Jan 12, 2022 at 05:28:32PM +0100, Michael Ströder wrote:
On 1/12/22 10:35, David Coutadeur wrote:
I suppose an admin changing the pwdChangedTime of an entry with the relax rule is a valid use case.
This is IMO indeed a tricky one:
I find arguments for the current behaviour but also for accepting submitted pwdChangedTime value in case relax rules control is used.
Modify requests seem to support this, gating it on ACL (password administrator role) + Relax control.
One could argue that the distinction between the two use-cases
"admin restores userPassword/pwdChangedTime"
and
"admin sets new userPassword"
can be deferred to ACL validation. The admin must have manage privilege on pwdChangedTime for the restore to succeed.
Those two would be distinguished by providing the new pwdChangedTime value in the Add?
From that perspective it might make sense to support this in Adds as we do in Modifies. Haven't thought about it too much yet. If you achieve consensus that the existing situation should change, please file an ITS addressing the above concerns and argue what Behera the draft intended.
AFAIK you should already be able to add the user and then set userPassword+pwdChangedTime if you have the rights.
Regards,