[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: readonly lets ldappasswd change a password

Thierry Lacoste wrote:
> When I put my server in readonly mode I still
> can change passwords with ldappasswd.
> Is this expected?

Hmm, personally I wouldn't expect this since I'd assume the "Password
Modify Extended Operation" is a write operation. So you should file an
ITS for that particular case.

This raises an interesting question on what read-only mode really means.
There are other situations where LDAP operations which are not
considered write operations cause attribute values to be changed, e.g.
when having password policy with a retry counter and the client sends a
wrong password in a bind request.

Seems to me one should really carefully consider when and why to use
read-only mode of slapd.

Ciao, Michael.