[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Checking that account is locked

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Checking that account is locked
From: Radovan Semancik <radovan.semancik@evolveum.com>
Date: Thu, 16 Jun 2016 15:00:28 +0200
Dkim-filter: OpenDKIM Filter v2.9.0 hermes.evolveum.com 11BE73629BD
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evolveum.com; s=46F1F96C-8266-11E5-BB5D-6C9186186C84; t=1466082326; bh=EWTR+oO473RLNAYm2GsG27LF1/4LOfAUfpgJJBnVjyQ=; h=Subject:To:From:Message-ID:Date:MIME-Version:Content-Type: Content-Transfer-Encoding; b=ng9jCqRTmrCNg6VYfylJKPTGTWUDCFpjIYIqBmaeQCaxyt73RO5ESsZB9npE6Z1jm CNi9Ffj63R2lLhuqZvkna5NqfziAThCDbxJkwasFIz1EUQ+UUO8qaFWoNsaYMxJDT/ JjvqC4Lno1ZF5qTsNyJyX0xnfG99Zzz+3/TT/7+g=
In-reply-to: <57627535.7020902@stroeder.com>
References: <5761474A.1030103@evolveum.com> <CAK_oV48Ett7JmfntJp6rQvjPzm9kZki3hWcPvT=Q=B6uNAaHMA@mail.gmail.com> <576264FF.50502@evolveum.com> <57627535.7020902@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2

On 06/16/2016 11:45 AM, Michael Ströder wrote:

The caveat with reading cn=config is that you might not be allowed doing so. One
would need fine-grained read ACLs to avoid e.g. revealing the rootpw hash to an
application. Well, on my systems there is no rootpw hash but you get the idea.

Yes. That's exactly my concern. I do not like the idea of lettingordinary LDAP clients access cn=config at all.

So, it looks like there is currently no good solution for this.

AFAIK other LDAP servers (e.g. OpenDJ) has two operational attributes:

1. 'pwdPolicySubentry' is set in every entry and therefore always points to the
effective (default) pwdPolicy entry.

2. Another attribute (IIRC 'ds-pwp-password-policy-dn') is for setting an
individual pwdPolicy entry to be used for a particular entry overriding the
default value.

I'd love to see something like this standardized and implemented in OpenLDAP.


I completely agree with that.

--
Radovan Semancik
Software Architect
evolveum.com

References:
- Checking that account is locked
  - From: Radovan Semancik <radovan.semancik@evolveum.com>
- Re: Checking that account is locked
  - From: Clément OUDOT <clem.oudot@gmail.com>
- Re: Checking that account is locked
  - From: Radovan Semancik <radovan.semancik@evolveum.com>
- Re: Checking that account is locked
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Checking that account is locked
Next by Date: Re: ldap user login attempt kills slapd service
Index(es):
- Chronological
- Thread