Currently, ppolicy only supports a single global default policy, and past that any policies must be manually added to a given user entry if they are supposed to have something other than the default policy. Also, some sites want no default policy, and only a specific subset to have a policy applied to them. For both of these cases, it would be helpful if it were possible to configure a policy to apply to a set of users via a URL similar to the way we handle creating groups of users in dynlist
Where's the up-vote button? ;-) Reads: I'd appreciate this feature very much.
+1 for this feature! A user-selecting function like dynlist would be interesting, but not sure it could cover all use-cases? For example, a simple use case would be to bind a policy to every user in a particular group, with no memberOf-like feature enabled. In another hand, maybe having a user-selecting function more like an ACL / acl-set would be overkill...
Commits: • 1fac13d2 by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Let backend_attribute read operational attributes back-mdb checks requested attribute is present in the entry which can obstruct the fallback to backend_operational. • 950ff8a5 by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Allow a list of default policies • db9da051 by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Provide effective value of pwdPolicySubentry • 6a903a8c by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Switch ppolicy_get to rely on ppolicy_operational • fbfb5454 by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9343 Allow Compare to check pwdPolicySubentry • 646d0c1b by Ondřej Kuzník at 2022-03-07T14:54:39+00:00 ITS#9497 Detect timing issues when they affect test
OK, discussing other usecases, just having a URL to select policies by isn't going to do it: e.g. group membership can't be tested by a filter at this level. Given that the range of options is too large, we might as well adopt a slapd.access(5)-like approach to configuration, with only filter= and group= being implemented for now.