Radovan Semancik wrote:
I'm glad that you confirmed that. I was afraid that I'm overlooking something essential here.
On 06/15/2016 10:14 PM, Clément OUDOT wrote:
Well, if there is a default ppolicy configured, and yes you need to search it in cn=config, but it can also be a configuration parameter on your side. If there is not, the policy will be defined in pwdPolicySubentry, so you can directly request it.
Yes, theoretically I can have configuration parameter on my side. But practically that is asking for trouble during operation and maintenance. If the pointer to default password policy in OpenLDAP changes I'm quite sure nobody will think about updating the configuration of my application.
The caveat with reading cn=config is that you might not be allowed doing so. One would need fine-grained read ACLs to avoid e.g. revealing the rootpw hash to an application. Well, on my systems there is no rootpw hash but you get the idea.
AFAIK other LDAP servers (e.g. OpenDJ) has two operational attributes:
1. 'pwdPolicySubentry' is set in every entry and therefore always points to the effective (default) pwdPolicy entry.
2. Another attribute (IIRC 'ds-pwp-password-policy-dn') is for setting an individual pwdPolicy entry to be used for a particular entry overriding the default value.
I'd love to see something like this standardized and implemented in OpenLDAP.
Ciao, Michael.