Re: (ITS#7004) ppolicy pwdCheckQuality constraint prevents from changing userPassword, even if pwdPolicySubentry is removed in the same modify operation

[masarati@aero.polimi.it]

> Full_Name: Clément OUDOT
> Version: 2.4.26
> OS: GNU/Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (90.9.0.93)
>
>
> I have a piece of code that does this singel modify operation on OpenLDAP:
> * remove pwdPolicySubentry value
> * replace userPassword value
>
> My password policy has pwdCheckQuality set to 2 (strict checking). My new
> userPassword value is {SASL}bob@example.com. But the modify operation
> failed
> with:
>
> conn=1058 op=100 RESULT tag=103 err=19 text=Password fails quality
> checking
> policy
>
>
> I was thinking than removing the pwdPolicySubentry was sufficient to
> disable all
> ppolicy constraint on the userPassword replacement in the same modify
> operation.
> Am I wrong or do I face a ppolicy overlay bug?

I think this question should be directed to openldap-technical, as it is a
usage question.

In detail, I think the behavior of slapd and slapo-ppolicy(5) is correct,
because pwdPolicySubentry was present when the operation initiated, and
thus the behavior of slapo-ppolicy(5) needs to be based on the entry's
content when the operation was initiated.

I also think this may represent a possible field of application of the
"relax" control, although neither draft-zeilenga-ldap-relax nor
draft-behera-ldap-password-policy document it.  Something like the relax
control would allow to change a password despite the password policy, as
soon as the final result complies with the protocol, including extensions.
 This would mean that slapo-ppolicy(5) constraints would eventually be
evaluated for the entry as it results from the operation.

But I think I've gone too far in discussing a usage question on the ITS.

p.