[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8565) Clarification of the slapo-ppolicy manpage

Full_Name: Matthieu Cerda
Version: 2.4.40
OS: Debian jessie
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

Hello !

As per http://www.openldap.org/lists/openldap-technical/201701/msg00017.html I
would like to submit a small improvement to the slapo-ppolicy manpage to clarify
rootdn presence / absence implications in a ppolicy enabled setup.

Here is the patch (I thing it's short enough not to justify a separate upload):

>From c6c03415e73fe762ee8f77d3e3cad97834913d00 Mon Sep 17 00:00:00 2001
From: Matthieu Cerda <matthieu.cerda@nbs-system.com>
Date: Tue, 3 Jan 2017 14:45:37 +0100
Subject: [PATCH] Clarify slapo-ppolicy manpage about rootdn absence possible

 doc/man/man5/slapo-ppolicy.5 | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5
index 8306f9761..6d3edb9c4 100644
--- a/doc/man/man5/slapo-ppolicy.5
+++ b/doc/man/man5/slapo-ppolicy.5
@@ -28,7 +28,12 @@ Note that some of the policies do not take effect when the
 is performed with the
 .B rootdn
 identity; all the operations, when performed with any other identity,
-may be subjected to constraints, like access control.
+may be subjected to constraints, like access control. It means that
+not defining a
+.B rootdn
+in your configuration is likely to lead to undesirable behavior (like
+account locking using pwdLockout not working properly) unless you have
+appropriate access control entries.
 Note that the IETF Password Policy proposal for LDAP makes sense
 when considering a single-valued password attribute, while 

Thanks in advance,
Have a nice day,
Matthieu Cerda