Re: Building openldap with overlays

[Kevin Spicer <kevin.spicer@bmrb.co.uk>]

On Sun, 2004-11-21 at 01:11, Howard Chu wrote:
> Sounds like a flaw in the ppolicy schema definition. You can work
> around 
> this by adding "NO-USER-MODIFICATION" to the definition of the 
> operational attributes in ppolicy.c. (Seems counter-intuitive, but it
> will work.)

Yes, I worked that out after I posted by reading the code.  However what
I couldn't work out is that although none of the operational attrs have
"NO-USER-MODIFICATION" defined pwdFailureTime and pwdAccountLockedTime
still manage to update.  I  think they are being updated using the
rootdn (but I'm not familiar enough with the code to be sure), is there
any reason why the other op attrs aren't updated using the rootdn
instead of the users dn during a password update extended operation?

My reason for not being keen on adding NO-USER-MODIFICATION into the
schema is that I'm working around an issue with solaris's pam_ldap where
the pwdReset attribute isn't honoured (when it is set users can login no
problem) by allowing users in the sysadmin group to tweak the
pwdLastChanged value to force a password change.




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.