[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Possible ppolicy override for other than rootDN

To: Christian Kratzer <ck@cksoft.de>
Subject: Re: Possible ppolicy override for other than rootDN
From: "Michael StrÃder" <michael@stroeder.com>
Date: Wed, 05 Jun 2013 12:16:59 +0200
Cc: Christian Kratzer <ck-lists@cksoft.de>, openldap-technical@openldap.org
In-reply-to: <alpine.BSF.2.00.1306051200250.24806@pohjola.cksoft.de>
References: <alpine.BSF.2.00.1306051051020.24806@pohjola.cksoft.de> <5fccb4e39eee0a45069838a1dc030b68@srv1.stroeder.com>, <alpine.BSF.2.00.1306051200250.24806@pohjola.cksoft.de>

On Wed, 5 Jun 2013 12:08:50 +0200 (CEST) Christian Kratzer <ck-lists@cksoft.de>
wrote
> On Wed, 5 Jun 2013, Michael StrÃder wrote:
> 
> > On Wed, 5 Jun 2013 10:57:10 +0200 (CEST) Christian Kratzer
> > <ck-lists@cksoft.de> wrote
> >> We have a customer setup where the corporate identity management
> >> applications provisions users to the directory, resets their passwords
> >> etc... >>
> >> The tool binds as a specific user and we permit write access to
> >> appropriate subtress via an acl.
> >>
> >> The customer also uses password policy to enforce policy in ldap.
> >>
> >> The problem we have is that the idm tool is obivously also subject to the
> >> pwdMinAge and pwdSafeModify policies.  The tool never stores a users
> >> password so when pwdSafeModify is in effect it cannot provide the old
> >> password to satisfy the policy.  It obviously also cannot reset the
> >> password until pwdMinAge has elapsed.
> >>
> >> Giving the rootDN credentials to the tool is also not an option as we
> >> would like to keep audit logs clean and have the acl in place to stop the
> >> tool from writing all over the place.
> >>
> >> So we would like to override password policy for the idm tools bind user
> >> similarly as the rootDN is already able to bypass policy.
> >
> > If it's not already implemented I'd recommend this feature request:
> > 1. limit such a write operation to a user which has 'manage' access to the
> > attributes and
> > 2. enable overriding only if the client sends Relax Rules Control along
> > with the LDAP write request.
> 
> So one would need to check for manage access to userPassword an if the
> relax control rule has been sent in this request.
> 
> I will try searching the code to see if any of that is readily accessible 
> in the context needed for the check.  I have not looked to deep in the
> openldap code yet to fully understand the internal archicture.

It's already done like this e.g. for write access to operational attribute
'pwdHistory'.

Ciao, Michael.

Follow-Ups:
- Re: Possible ppolicy override for other than rootDN
  - From: Christian Kratzer <ck-lists@cksoft.de>

References:
- Possible ppolicy override for other than rootDN
  - From: Christian Kratzer <ck-lists@cksoft.de>
- Re: Possible ppolicy override for other than rootDN
  - From: "Michael StrÃder" <michael@stroeder.com>
- Re: Possible ppolicy override for other than rootDN
  - From: Christian Kratzer <ck-lists@cksoft.de>

Prev by Date: Re: Possible ppolicy override for other than rootDN
Next by Date: Re: SSHA as default password-hash in next password change
Index(es):
- Chronological
- Thread