Hello,
I have a question related to rootdn and password policy.
I understand that the rootdn can bypass all restrictions.
We have a requirement to bypass a password policy for the admin user.
Is there a way to create the admin user so that this user can have the same privilege as rootdn and I don't need to bind as rootdn in my application?
Currently I have granted the following to the admin_user:
===
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=abcdomain,dc=com" write by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write
by * none
olcAccess: {1}to *
by self write
by dn.base="cn=Manager,dc=abcdomain,dc=com" write by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write
by * read
===
Any help would be appreciated.
Thanks,
Hannah
Am Mon, 13 Apr 2020 10:34:36 -0700 schrieb Hannah Chenh hchenh@gmail.com:
Hello,
I have a question related to rootdn and password policy.
I understand that the rootdn can bypass all restrictions.
We have a requirement to bypass a password policy for the admin user.
Is there a way to create the admin user so that this user can have the same privilege as rootdn and I don't need to bind as rootdn in my application?
Currently I have granted the following to the admin_user:
[...]
Any help would be appreciated.
man slapo-ppolicy(5) read on pwdPolicy objectclass, and pwdPolicySubentry. Create a policy subtree und add all users policy objects to this subtree.
-Dieter
--- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Am Tue, 14 Apr 2020 16:26:20 +0200 schrieb Dieter Klünter dieter@dkluenter.de:
Am Mon, 13 Apr 2020 10:34:36 -0700 schrieb Hannah Chenh hchenh@gmail.com:
Hello,
I have a question related to rootdn and password policy.
I understand that the rootdn can bypass all restrictions.
We have a requirement to bypass a password policy for the admin user.
Is there a way to create the admin user so that this user can have the same privilege as rootdn and I don't need to bind as rootdn in my application?
Currently I have granted the following to the admin_user:
[...]
Any help would be appreciated.
man slapo-ppolicy(5) read on pwdPolicy objectclass, and pwdPolicySubentry. Create a policy subtree und add all users policy objects to this subtree.
Sorry, my bad, this is rubbish. It should have been the answer to a different list.
-Dieter
Le 13/04/2020 à 19:34, Hannah Chenh a écrit :
Hello, I have a question related to rootdn and password policy. I understand that the rootdn can bypass all restrictions. We have a requirement to bypass a password policy for the admin user. Is there a way to create the admin user so that this user can have the same privilege as rootdn and I don't need to bind as rootdn in my application? Currently I have granted the following to the admin_user: === dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=abcdomain,dc=com" write by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write by * none olcAccess: {1}to * by self write by dn.base="cn=Manager,dc=abcdomain,dc=com" write by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write by * read
=== Any help would be appreciated.
I have done some tests today, I did not find a solution.
I tried to give the "manage" right to a service account, and then use the relax or ManageDSAIT controls to force the change of a password which is too short, it is always rejected. The modification is only accepted if it is done by rootdn.
--On Wednesday, April 15, 2020 7:40 PM +0200 Clément OUDOT clement.oudot@worteks.com wrote:
I have done some tests today, I did not find a solution.
I tried to give the "manage" right to a service account, and then use the relax or ManageDSAIT controls to force the change of a password which is too short, it is always rejected. The modification is only accepted if it is done by rootdn.
Correct, this is a deficiency in the current implementation. Ties in somewhat to https://bugs.openldap.org/show_bug.cgi?id=9211
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 4/15/20 6:44 PM, Quanah Gibson-Mount wrote:
--On Wednesday, April 15, 2020 7:40 PM +0200 Clément OUDOT clement.oudot@worteks.com wrote:
I have done some tests today, I did not find a solution.
I tried to give the "manage" right to a service account, and then use the relax or ManageDSAIT controls to force the change of a password which is too short, it is always rejected. The modification is only accepted if it is done by rootdn.
Correct, this is a deficiency in the current implementation. Ties in somewhat to https://bugs.openldap.org/show_bug.cgi?id=9211
In general I agree that there are real deficiencies regarding access control for extended controls and extended operations.
But I disagree to call it a deficiency that it's not possible to violate minimum password length constraint with a relax control or similar. This has to be carefully considered and decided for each possible use-case.
Ciao, Michael.
--On Wednesday, April 15, 2020 8:49 PM +0200 Michael Ströder michael@stroeder.com wrote:
But I disagree to call it a deficiency that it's not possible to violate minimum password length constraint with a relax control or similar. This has to be carefully considered and decided for each possible use-case.
I was talking more the original use case -- That you can't create an admin user (or group of admin users) that can reset a user's password (not that you can violate the policy around those passwords). That was the original request:
"Is there a way to create the admin user so that this user can have the same privilege as rootdn and I don't need to bind as rootdn in my application?"
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanks, Clement for testing. I agree. Looks like it can only be done by rootdn.
On Wed, Apr 15, 2020 at 9:40 AM Clément OUDOT clement.oudot@worteks.com wrote:
Le 13/04/2020 à 19:34, Hannah Chenh a écrit :
Hello,
I have a question related to rootdn and password policy.
I understand that the rootdn can bypass all restrictions.
We have a requirement to bypass a password policy for the admin user.
Is there a way to create the admin user so that this user can have the same privilege as rootdn and I don't need to bind as rootdn in my application?
Currently I have granted the following to the admin_user:
===
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword
by self write by anonymous auth by dn.base="cn=Manager,dc=abcdomain,dc=com" write by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write by * noneolcAccess: {1}to *
by self write by dn.base="cn=Manager,dc=abcdomain,dc=com" write by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write by * read===
Any help would be appreciated.
I have done some tests today, I did not find a solution.
I tried to give the "manage" right to a service account, and then use the relax or ManageDSAIT controls to force the change of a password which is too short, it is always rejected. The modification is only accepted if it is done by rootdn.
-- Clément Oudot | Identity Solutions Manager clement.oudot@worteks.com
Worteks | https://www.worteks.com
openldap-technical@openldap.org
-
Clément OUDOT -
Dieter Klünter -
Hannah Chenh -
Michael Ströder -
Quanah Gibson-Mount