Full_Name: Matthieu Cerda Version: 2.4.40 OS: Debian jessie URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (194.213.124.6) Hello ! As per http://www.openldap.org/lists/openldap-technical/201701/msg00017.html I would like to submit a small improvement to the slapo-ppolicy manpage to clarify rootdn presence / absence implications in a ppolicy enabled setup. Here is the patch (I thing it's short enough not to justify a separate upload): ---8<--- From c6c03415e73fe762ee8f77d3e3cad97834913d00 Mon Sep 17 00:00:00 2001 From: Matthieu Cerda <matthieu.cerda@nbs-system.com> Date: Tue, 3 Jan 2017 14:45:37 +0100 Subject: [PATCH] Clarify slapo-ppolicy manpage about rootdn absence possible consequences --- doc/man/man5/slapo-ppolicy.5 | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5 index 8306f9761..6d3edb9c4 100644 --- a/doc/man/man5/slapo-ppolicy.5 +++ b/doc/man/man5/slapo-ppolicy.5 @@ -28,7 +28,12 @@ Note that some of the policies do not take effect when the operation is performed with the .B rootdn identity; all the operations, when performed with any other identity, -may be subjected to constraints, like access control. +may be subjected to constraints, like access control. It means that +not defining a +.B rootdn +in your configuration is likely to lead to undesirable behavior (like +account locking using pwdLockout not working properly) unless you have +appropriate access control entries. .P Note that the IETF Password Policy proposal for LDAP makes sense when considering a single-valued password attribute, while -- 2.11.0 ---8<--- Thanks in advance, Have a nice day, -- Matthieu Cerda
--On Wednesday, January 11, 2017 4:44 PM +0000 matthieu.cerda@nbs-system.com wrote: > Full_Name: Matthieu Cerda > Version: 2.4.40 > OS: Debian jessie > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (194.213.124.6) > > > Hello ! > > As per > http://www.openldap.org/lists/openldap-technical/201701/msg00017.html I > would like to submit a small improvement to the slapo-ppolicy manpage to > clarify rootdn presence / absence implications in a ppolicy enabled setup. > > Here is the patch (I thing it's short enough not to justify a separate > upload): Thanks! We went with something slightly different, but the rootdn requirement should be absolutely clear now. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
changed notes changed state Open to Release moved from Incoming to Documentation
Fixed in master Fixed in RE25 Fixed in RE24 (2.4.45)
changed notes changed state Release to Closed