[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7021) pwdAllowUserChange: FALSE disallows password change by anybody

> masarati@aero.polimi.it wrote:
>>>> Then the patch is trivial:
>>>> [..]
>>>> If there's consensus, I'll commit it.
>>> Seems like a pointless change. You must set ACLs for this type of
>>> modification
>>> to be allowed. Since you must set ACLs anyway, there is no good reason
>>> to
>>> use
>>> the pwdAllowUserChange policy setting in the first place. In general
>>> the
>>> pwdAllowUserChange option is only useful on systems that do not already
>>> provide fine grained access controls.
>> Agree (see my previous message).  For this purpose, I suggest to add, in
>> slapo-ppolicy(5), a comment about discouraging the use of
>> pwdAllowUserChange since OpenLDAP provides fine-grain ACLs.
> I already knew that this can be achieved by ACLs but...
> 1. OpenLDAP should behave as stated in the ppolicy spec and the man-pages.
> 2. sometimes it'd be more handy to use this flag in an already existing
> pwdPolicy entry than defining additional ACLs.
> Since this patch seems so trivial why not commit it?

The patch is the result of my reading in 5 minutes a single portion of a
spec I read in detail years ago, so my interpretation could not be the
most correct.  Since Howard implemented slapo-ppolicy(5), I believe his
interpretation of the spec is more accurate.  The fact that he interprets
this flag as a complete replacement of ACLs on systems where they are not
granular enough lets me think that its behavior should be broader (i.e.
apply to all users) rather than strictly sticking to the word (i.e. apply
to self only).

That's why I'm seeking consensus before committing a patch (that could be
harmful, as the current behavior of slapo-ppolicy(5) makes this flag work
as a complete alternative to ACLs, while the new behavior, not
complemented by appropriate ACLs, could allow anybody but self to change
the pwd).