De : Quanah Gibson-Mount <quanah@fast-mail.org>
À : tempo@net-c.com;
   uwe.sauter.de@gmail.com;
   openldap-technical@openldap.org
Sujet : Re: role manage can bypass pwdCheckQuality with MOD but not with ADD op
Date : 24/06/2022 19:59:21 Europe/Paris



--On Friday, June 24, 2022 8:32 PM +0200 tempo@net-c.com wrote:

>
> Hi,
>
>
> Not sure to understand but maybe my question is unclear.
>
>
>
> My question is just to know if with an admin having "manage" role it is
> possible to bypass the ppolicy check when adding a user.
>
>
> Because this how it works when modifying userPassword of an already
> existing user.
>
>
> ADD and MOD looks working differently on userPassword attribute treatment.


a) You should not be using MOD ops on userPassword

b) You probably want to be using the RELAX control when you do the ADD op
(mark it critical)

c) I suggest updating to a current OpenLDAP 2.5 release, as there were
fixes for ppolicy in 2.5.12 that may be relevant. (ITS#9794)

Regards,
Quanah