[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs

To: Ulrich Windl <Ulrich.Windl@rz.uni-regensburg.de>, openldap-technical@openldap.org, quanah@symas.com
Subject: Re: Antw: Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
From: Matthieu Cerda <matthieu.cerda@nbs-system.com>
Date: Tue, 3 Jan 2017 14:49:16 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nbs-system.com; s=mail; t=1483451374; bh=JTRUpOv9lEgA8590C8NjehMiyRsW5ib6GQH34G2IseE=; h=Subject:To:References:From:Date:In-Reply-To; b=cHgxailnmRQlgmS4W7EzR0oKsnIj5lu3m/wx9oEICpg0C8tJkD6nyEwr7JNAZ5JZu b0PgsIsHFbNsZ8ynyK+NlYpo7EyMD4wNCcLHzjbvBdeS6r4lopu2bHbACu0Tr+jMIF 4qUN6zIDdfJFSG7a3YWVNvOL85t/9mg2rJaUi2BU=
In-reply-to: <586B5B3C020000A100023D54@gwsmtp1.uni-regensburg.de>
References: <5e90d04befa90e72a414a447ab2995db@ironflake.org> <WM!a627752d55829ff9e4035bf19272d3bad5fdf8397e9dafdbe6c18995baabf9de8d608c8b7e4a902ec66d357d475a3668!@mailstronghold-1.zmailcloud.com> <e198790c-7e28-354b-c67e-41d8e12aa779@symas.com> <f398468253cd8f45c28da3675ae142bb@ironflake.org> <WM!04af1d4a7155fa6422bc55f78d22b62e3c6f9aa417b5cd4b9278ad7c6bfef6e8454270f36f475867309eb7aa4478c281!@mailstronghold-3.zmailcloud.com> <4E97C145472415D13FD2BDFF@[192.168.1.30]> <94c4d9a0-641f-dcab-4dd8-f5c27d7f730b@nbs-system.com> <WM!35b560fcd1d8be4346c04bf48238f0fce0ad9d974761b08b552280679698a5f7db8980881a4946de48349f459dcf8eba!@mailstronghold-3.zmailcloud.com> <F365AC223D2A1E22A5345243@[192.168.1.30]> <586B5B3C020000A100023D54@gwsmtp1.uni-regensburg.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Icedove/45.4.0


Le 03/01/2017 à 08:05, Ulrich Windl a écrit :
>>>> Quanah Gibson-Mount <quanah@symas.com> schrieb am 03.01.2017 um 00:11 in
> Nachricht <F365AC223D2A1E22A5345243@[192.168.1.30]>:
>> (...)
>>
>> Note the bit about "all the operations, ..."
>>
>> If you think of a way to reword it that you feel is a better explanation, 
>> that could certainly be considered. :)
> 
> I think a notice who is the modifier on ppolicy changes would be woth it; specifically if it's related to RootDN ;-)
> I think I had already asked earlier about some notice on ACLs that ppolicy may or may not need to work.

Well I certainly didn't understand the message as 'every operation will
be done assuming the rootdn identity' indeed.

I agree with Ulrich, maybe a small note in the manpage saying exactly
that might help, just in case ?

Here is a proposal patch on slapo-ppolicy.5 manpage to clarify that.

Thanks in advance,
-- 
Matthieu Cerda

From c6c03415e73fe762ee8f77d3e3cad97834913d00 Mon Sep 17 00:00:00 2001
From: Matthieu Cerda <matthieu.cerda@nbs-system.com>
Date: Tue, 3 Jan 2017 14:45:37 +0100
Subject: [PATCH] Clarify slapo-ppolicy manpage about rootdn absence possible
 consequences

---
 doc/man/man5/slapo-ppolicy.5 | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5
index 8306f9761..6d3edb9c4 100644
--- a/doc/man/man5/slapo-ppolicy.5
+++ b/doc/man/man5/slapo-ppolicy.5
@@ -28,7 +28,12 @@ Note that some of the policies do not take effect when the operation
 is performed with the
 .B rootdn
 identity; all the operations, when performed with any other identity,
-may be subjected to constraints, like access control.
+may be subjected to constraints, like access control. It means that
+not defining a
+.B rootdn
+in your configuration is likely to lead to undesirable behavior (like
+account locking using pwdLockout not working properly) unless you have
+appropriate access control entries.
 .P
 Note that the IETF Password Policy proposal for LDAP makes sense
 when considering a single-valued password attribute, while 
-- 
2.11.0

Attachment: signature.asc
Description: OpenPGP digital signature

References:
- Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
  - From: Matthieu Cerda <matthieu.cerda@nbs-system.com>
- Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Antw: Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
  - From: "Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>

Prev by Date: Antw: Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
Next by Date: ldapsearch filter question
Index(es):
- Chronological
- Thread