I fail to see where slapd.conf comes into play with handling of pwdPolicySubentry: Both the policies and the users are defined in a different (MDB) database. Only the default policy may be stored in the config database directly, and I did not talk about that.
Kind regards, Ulrich Windl
-----Original Message----- From: Ondřej Kuzník ondra@mistotebe.net Sent: Thursday, May 8, 2025 10:58 AM To: Windl, Ulrich u.windl@ukr.de Cc: openldap-technical@openldap.org Subject: [EXT] Re: Re: Re: Re: using refint overlay for pwdPolicySubentry
On Thu, May 08, 2025 at 05:40:07AM +0000, Windl, Ulrich wrote:
Hi!
I don't know who said "Ease of use, not ease of implementation is the design goal", but If one DN is used as a value for some attribute, and there's a "referential integrity module" to update such attributes if the underlying DN changes, it's hard to explain why it would work for some cases, but not for others. And to make things worse: It just fails silently.
Ok, let's play devil's advocate and assume someone configured OpenLDAP with slapd.conf: how do you propose refint goes about adjusting that configuration for you? Does it write a new configuration file, do ACLs/limit stanzas get rewritten as well on renames? How about regex based ACLs/limits?
Maybe you can help us design this functionality to improve the ease of use, maybe you have suggestions how the documentation can be improved to make sure people appreciate the limitations at the appropriate time and decide how well it covers their use case.
After all this is still a community based project and without the wisdom and contributions of the community it will not advance.
Thanks,
-- Ondřej Kuzník Senior Software Engineer Symas Corporation http://www.symas.com Packaged, certified, and supported LDAP solutions powered by OpenLDAP