On 4/15/20 6:44 PM, Quanah Gibson-Mount wrote:
--On Wednesday, April 15, 2020 7:40 PM +0200 Clément OUDOT clement.oudot@worteks.com wrote:
I have done some tests today, I did not find a solution.
I tried to give the "manage" right to a service account, and then use the relax or ManageDSAIT controls to force the change of a password which is too short, it is always rejected. The modification is only accepted if it is done by rootdn.
Correct, this is a deficiency in the current implementation. Ties in somewhat to https://bugs.openldap.org/show_bug.cgi?id=9211
In general I agree that there are real deficiencies regarding access control for extended controls and extended operations.
But I disagree to call it a deficiency that it's not possible to violate minimum password length constraint with a relax control or similar. This has to be carefully considered and decided for each possible use-case.
Ciao, Michael.