Hi,
We have a customer setup where the corporate identity management applications provisions users to the directory, resets their passwords etc...
The tool binds as a specific user and we permit write access to appropriate subtress via an acl.
The customer also uses password policy to enforce policy in ldap.
The problem we have is that the idm tool is obivously also subject to the pwdMinAge and pwdSafeModify policies. The tool never stores a users password so when pwdSafeModify is in effect it cannot provide the old password to satisfy the policy. It obviously also cannot reset the password until pwdMinAge has elapsed.
Giving the rootDN credentials to the tool is also not an option as we would like to keep audit logs clean and have the acl in place to stop the tool from writing all over the place.
So we would like to override password policy for the idm tools bind user similarly as the rootDN is already able to bypass policy.
I found following section in ppolicy.c
1197 static int 1198 ppolicy_bind( Operation *op, SlapReply *rs ) 1199 { 1200 slap_overinst *on = (slap_overinst *)op->o_bd->bd_info; 1201 1202 /* Reset lockout status on all Bind requests */ 1203 if ( !BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) { 1204 ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val); 1205 BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn ); 1206 } 1207 1208 /* Root bypasses policy */ 1209 if ( !be_isroot_dn( op->o_bd, &op->o_req_ndn )) { 1210 Entry *e; 1211 int rc;
I would think hacking line 1205 one could hardcode additional dn but I am searching for a cleaner more general solution.
I was thinking on the lines of having a configurable olcPPolicyOverride with a list of dn that override password policy like the rootDN already does.
If I attempted such a patch would it have changes of being accepted from the architectural point of view ?
Any other ideas on how to solve above problem ?
Greetings Christian
On Wed, 5 Jun 2013 10:57:10 +0200 (CEST) Christian Kratzer ck-lists@cksoft.de wrote
We have a customer setup where the corporate identity management applications provisions users to the directory, resets their passwords etc...
The tool binds as a specific user and we permit write access to appropriate subtress via an acl.
The customer also uses password policy to enforce policy in ldap.
The problem we have is that the idm tool is obivously also subject to the pwdMinAge and pwdSafeModify policies. The tool never stores a users password so when pwdSafeModify is in effect it cannot provide the old password to satisfy the policy. It obviously also cannot reset the password until pwdMinAge has elapsed.
Giving the rootDN credentials to the tool is also not an option as we would like to keep audit logs clean and have the acl in place to stop the tool from writing all over the place.
So we would like to override password policy for the idm tools bind user similarly as the rootDN is already able to bypass policy.
If it's not already implemented I'd recommend this feature request: 1. limit such a write operation to a user which has 'manage' access to the attributes and 2. enable overriding only if the client sends Relax Rules Control along with the LDAP write request.
Ciao, Michael.
Team,
It's too hard to configure AD sync in OpenLDAP
Is any other third Party tool available in market?
Regards Support Team.
From: "Michael Ströder" michael@stroeder.com To: openldap-technical@openldap.org, Christian Kratzer ck-lists@cksoft.de Date: 06/05/2013 03:20 PM Subject: Re: Possible ppolicy override for other than rootDN
On Wed, 5 Jun 2013 10:57:10 +0200 (CEST) Christian Kratzer ck-lists@cksoft.de wrote
We have a customer setup where the corporate identity management
applications
provisions users to the directory, resets their passwords etc...
The tool binds as a specific user and we permit write access to
appropriate
subtress via an acl.
The customer also uses password policy to enforce policy in ldap.
The problem we have is that the idm tool is obivously also subject to
the
pwdMinAge and pwdSafeModify policies. The tool never stores a users
password
so when pwdSafeModify is in effect it cannot provide the old password to satisfy the policy. It obviously also cannot reset the password until pwdMinAge has elapsed.
Giving the rootDN credentials to the tool is also not an option as we
would
like to keep audit logs clean and have the acl in place to stop the tool
from
writing all over the place.
So we would like to override password policy for the idm tools bind user similarly as the rootDN is already able to bypass policy.
If it's not already implemented I'd recommend this feature request: 1. limit such a write operation to a user which has 'manage' access to the attributes and 2. enable overriding only if the client sends Relax Rules Control along with the LDAP write request.
Ciao, Michael.
VERNALIS SYSTEMS EMAIL NOTICE ----------------------------- The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Hi Michael,
On Wed, 5 Jun 2013, Michael Ströder wrote:
On Wed, 5 Jun 2013 10:57:10 +0200 (CEST) Christian Kratzer ck-lists@cksoft.de wrote
We have a customer setup where the corporate identity management applications provisions users to the directory, resets their passwords etc...
The tool binds as a specific user and we permit write access to appropriate subtress via an acl.
The customer also uses password policy to enforce policy in ldap.
The problem we have is that the idm tool is obivously also subject to the pwdMinAge and pwdSafeModify policies. The tool never stores a users password so when pwdSafeModify is in effect it cannot provide the old password to satisfy the policy. It obviously also cannot reset the password until pwdMinAge has elapsed.
Giving the rootDN credentials to the tool is also not an option as we would like to keep audit logs clean and have the acl in place to stop the tool from writing all over the place.
So we would like to override password policy for the idm tools bind user similarly as the rootDN is already able to bypass policy.
If it's not already implemented I'd recommend this feature request:
- limit such a write operation to a user which has 'manage' access to the
attributes and 2. enable overriding only if the client sends Relax Rules Control along with the LDAP write request.
So one would need to check for manage access to userPassword an if the relax control rule has been sent in this request.
I will try searching the code to see if any of that is readily accessible in the context needed for the check. I have not looked to deep in the openldap code yet to fully understand the internal archicture.
Above sounds quite neat but I would still have the problem that the customers aging enterprise application most certainly won't support ldap extended controls which is why I was looking for a straight forward solution with a configurable override dn for ppolicy.
I can write up a feature request but am also willing to attempt the patch myself.
Also not yet clear if the customer really needs or wants this and if they are willing to maintain a local patch.
Greetings Christian
On Wed, 5 Jun 2013 12:08:50 +0200 (CEST) Christian Kratzer ck-lists@cksoft.de wrote
On Wed, 5 Jun 2013, Michael Ströder wrote:
On Wed, 5 Jun 2013 10:57:10 +0200 (CEST) Christian Kratzer ck-lists@cksoft.de wrote
We have a customer setup where the corporate identity management applications provisions users to the directory, resets their passwords etc... >> The tool binds as a specific user and we permit write access to appropriate subtress via an acl.
The customer also uses password policy to enforce policy in ldap.
The problem we have is that the idm tool is obivously also subject to the pwdMinAge and pwdSafeModify policies. The tool never stores a users password so when pwdSafeModify is in effect it cannot provide the old password to satisfy the policy. It obviously also cannot reset the password until pwdMinAge has elapsed.
Giving the rootDN credentials to the tool is also not an option as we would like to keep audit logs clean and have the acl in place to stop the tool from writing all over the place.
So we would like to override password policy for the idm tools bind user similarly as the rootDN is already able to bypass policy.
If it's not already implemented I'd recommend this feature request:
- limit such a write operation to a user which has 'manage' access to the
attributes and 2. enable overriding only if the client sends Relax Rules Control along with the LDAP write request.
So one would need to check for manage access to userPassword an if the relax control rule has been sent in this request.
I will try searching the code to see if any of that is readily accessible in the context needed for the check. I have not looked to deep in the openldap code yet to fully understand the internal archicture.
It's already done like this e.g. for write access to operational attribute 'pwdHistory'.
Ciao, Michael.
Hi,
On Wed, 5 Jun 2013, Michael Ströder wrote: <snipp/>
So one would need to check for manage access to userPassword an if the relax control rule has been sent in this request.
I will try searching the code to see if any of that is readily accessible in the context needed for the check. I have not looked to deep in the openldap code yet to fully understand the internal archicture.
It's already done like this e.g. for write access to operational attribute 'pwdHistory'.
ok. Thanks for the pointer. I'll research and see if it possibly already works that way.
Greetings Christian
openldap-technical@openldap.org
-
Christian Kratzer -
Krishnamoorthi Gopal -
Michael Ströder