Hi,

Not sure to understand but maybe my question is unclear.

My question is just to know if with an admin having "manage" role it is possible to bypass the ppolicy check when adding a user.

Because this how it works when modifying userPassword of an already existing user.

ADD and MOD looks working differently on userPassword attribute treatment.

De : Uwe Sauter <uwe.sauter.de@gmail.com>
À : openldap-technical@openldap.org
Sujet : Re: role manage can bypass pwdCheckQuality with MOD but not with ADD op
Date : 24/06/2022 18:20:20 Europe/Paris

As far as I understand, everybody with write access to the userPassword
attribute can set this to any value.

In order to involve the ppolicy module you need to use extended
ldapmodify functionality (ldappasswd, ldapmodify -E ppolicy or a
properly configured passwd/PAM stack).

Am 24.06.22 um 16:59 schrieb tempo@net-c.com:
> Hi,
>
> I'm doing some testing on userPassword management actually with openldap
> 2.5.9
>
> I noticed that I could MOD a userPassword without checking quality if my
> admin role was "manage"
>
> However, if I try to ADD a user with its attribute userPassword set,
> then quality is checked although the role "manage"
>
> ppolicy in both cases are the default one (policy subentry not set)
>
> Is it normal behavior ?
>
> Regards,