[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Possible ppolicy override for other than rootDN

To: Michael StrÃder <michael@stroeder.com>
Subject: Re: Possible ppolicy override for other than rootDN
From: Christian Kratzer <ck-lists@cksoft.de>
Date: Wed, 5 Jun 2013 12:08:50 +0200 (CEST)
Cc: Christian Kratzer <ck-lists@cksoft.de>, openldap-technical@openldap.org
In-reply-to: <5fccb4e39eee0a45069838a1dc030b68@srv1.stroeder.com>
References: <alpine.BSF.2.00.1306051051020.24806@pohjola.cksoft.de> <5fccb4e39eee0a45069838a1dc030b68@srv1.stroeder.com>
User-agent: Alpine 2.00 (BSF 1167 2008-08-23)

Hi Michael,

On Wed, 5 Jun 2013, Michael StrÃder wrote:

On Wed, 5 Jun 2013 10:57:10 +0200 (CEST) Christian Kratzer <ck-lists@cksoft.de>
wrote

We have a customer setup where the corporate identity management applications
provisions users to the directory, resets their passwords etc...

The tool binds as a specific user and we permit write access to appropriate
subtress via an acl.

The customer also uses password policy to enforce policy in ldap.

The problem we have is that the idm tool is obivously also subject to the
pwdMinAge and pwdSafeModify policies.  The tool never stores a users password
so when pwdSafeModify is in effect it cannot provide the old password to
satisfy the policy.  It obviously also cannot reset the password until
pwdMinAge has elapsed.

Giving the rootDN credentials to the tool is also not an option as we would
like to keep audit logs clean and have the acl in place to stop the tool from
writing all over the place.

So we would like to override password policy for the idm tools bind user
similarly as the rootDN is already able to bypass policy.


If it's not already implemented I'd recommend this feature request:
1. limit such a write operation to a user which has 'manage' access to the
attributes and
2. enable overriding only if the client sends Relax Rules Control along with
the LDAP write request.


So one would need to check for manage access to userPassword an if the
relax control rule has been sent in this request.

I will try searching the code to see if any of that is readily accessiblein the context needed for the check. I have not looked to deep in the

openldap code yet to fully understand the internal archicture.

Above sounds quite neat but I would still have the problem that the customersaging enterprise application most certainly won't support ldap extended controls

which is why I was looking for a straight forward solution with a configurable
override dn for ppolicy.

I can write up a feature request but am also willing to attempt the
patch myself.

Also not yet clear if the customer really needs or wants this and if
they are willing to maintain a local patch.

Greetings
Christian

--
Christian Kratzer                      CK Software GmbH
Email:   ck@cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer

Follow-Ups:
- Re: Possible ppolicy override for other than rootDN
  - From: "Michael StrÃder" <michael@stroeder.com>

References:
- Possible ppolicy override for other than rootDN
  - From: Christian Kratzer <ck-lists@cksoft.de>
- Re: Possible ppolicy override for other than rootDN
  - From: "Michael StrÃder" <michael@stroeder.com>

Prev by Date: Re: Possible ppolicy override for other than rootDN
Next by Date: Re: Possible ppolicy override for other than rootDN
Index(es):
- Chronological
- Thread