8565 – Clarification of the slapo-ppolicy manpage

Issue 8565 - Clarification of the slapo-ppolicy manpage

Summary: Clarification of the slapo-ppolicy manpage

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	documentation (show other issues)
Version:	2.4.40
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-01-11 16:44 UTC by matthieu.cerda@nbs-system.com
Modified:	2017-06-01 22:12 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description matthieu.cerda@nbs-system.com 2017-01-11 16:44:24 UTC

Full_Name: Matthieu Cerda
Version: 2.4.40
OS: Debian jessie
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (194.213.124.6)


Hello !

As per http://www.openldap.org/lists/openldap-technical/201701/msg00017.html I
would like to submit a small improvement to the slapo-ppolicy manpage to clarify
rootdn presence / absence implications in a ppolicy enabled setup.

Here is the patch (I thing it's short enough not to justify a separate upload):

---8<---
From c6c03415e73fe762ee8f77d3e3cad97834913d00 Mon Sep 17 00:00:00 2001
From: Matthieu Cerda <matthieu.cerda@nbs-system.com>
Date: Tue, 3 Jan 2017 14:45:37 +0100
Subject: [PATCH] Clarify slapo-ppolicy manpage about rootdn absence possible
 consequences

---
 doc/man/man5/slapo-ppolicy.5 | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5
index 8306f9761..6d3edb9c4 100644
--- a/doc/man/man5/slapo-ppolicy.5
+++ b/doc/man/man5/slapo-ppolicy.5
@@ -28,7 +28,12 @@ Note that some of the policies do not take effect when the
operation
 is performed with the
 .B rootdn
 identity; all the operations, when performed with any other identity,
-may be subjected to constraints, like access control.
+may be subjected to constraints, like access control. It means that
+not defining a
+.B rootdn
+in your configuration is likely to lead to undesirable behavior (like
+account locking using pwdLockout not working properly) unless you have
+appropriate access control entries.
 .P
 Note that the IETF Password Policy proposal for LDAP makes sense
 when considering a single-valued password attribute, while 
-- 
2.11.0
---8<---

Thanks in advance,
Have a nice day,
--
Matthieu Cerda

Comment 1 Quanah Gibson-Mount 2017-01-18 16:08:17 UTC

--On Wednesday, January 11, 2017 4:44 PM +0000 
matthieu.cerda@nbs-system.com wrote:

> Full_Name: Matthieu Cerda
> Version: 2.4.40
> OS: Debian jessie
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (194.213.124.6)
>
>
> Hello !
>
> As per
> http://www.openldap.org/lists/openldap-technical/201701/msg00017.html I
> would like to submit a small improvement to the slapo-ppolicy manpage to
> clarify rootdn presence / absence implications in a ppolicy enabled setup.
>
> Here is the patch (I thing it's short enough not to justify a separate
> upload):

Thanks!  We went with something slightly different, but the rootdn 
requirement should be absolutely clear now.

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Comment 2 Quanah Gibson-Mount 2017-01-18 16:08:41 UTC

changed notes
changed state Open to Release
moved from Incoming to Documentation

Comment 3 OpenLDAP project 2017-06-01 22:12:28 UTC

Fixed in master
Fixed in RE25
Fixed in RE24 (2.4.45)

Comment 4 Quanah Gibson-Mount 2017-06-01 22:12:28 UTC

changed notes
changed state Release to Closed