[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: readonly lets ldappasswd change a password

To: Thierry Lacoste <lacoste@miage.univ-paris12.fr>
Subject: Re: readonly lets ldappasswd change a password
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 11 May 2009 19:02:16 +0200
Cc: openldap-software@openldap.org
In-reply-to: <4FA4CE28-450C-4DE0-B842-945B0D2B58C9@miage.univ-paris12.fr>
References: <4FA4CE28-450C-4DE0-B842-945B0D2B58C9@miage.univ-paris12.fr>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090402 SeaMonkey/1.1.16

Thierry Lacoste wrote:
> 
> When I put my server in readonly mode I still
> can change passwords with ldappasswd.
> Is this expected?

Hmm, personally I wouldn't expect this since I'd assume the "Password
Modify Extended Operation" is a write operation. So you should file an
ITS for that particular case.

This raises an interesting question on what read-only mode really means.
There are other situations where LDAP operations which are not
considered write operations cause attribute values to be changed, e.g.
when having password policy with a retry counter and the client sends a
wrong password in a bind request.

Seems to me one should really carefully consider when and why to use
read-only mode of slapd.

Ciao, Michael.

References:
- readonly lets ldappasswd change a password
  - From: Thierry Lacoste <lacoste@miage.univ-paris12.fr>

Prev by Date: Re: Pool File: unknown
Next by Date: LDAP replication
Index(es):
- Chronological
- Thread