[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antw: Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs

Le 03/01/2017 à 08:05, Ulrich Windl a écrit :
>>>> Quanah Gibson-Mount <quanah@symas.com> schrieb am 03.01.2017 um 00:11 in
> Nachricht <F365AC223D2A1E22A5345243@[]>:
>> (...)
>> Note the bit about "all the operations, ..."
>> If you think of a way to reword it that you feel is a better explanation, 
>> that could certainly be considered. :)
> I think a notice who is the modifier on ppolicy changes would be woth it; specifically if it's related to RootDN ;-)
> I think I had already asked earlier about some notice on ACLs that ppolicy may or may not need to work.

Well I certainly didn't understand the message as 'every operation will
be done assuming the rootdn identity' indeed.

I agree with Ulrich, maybe a small note in the manpage saying exactly
that might help, just in case ?

Here is a proposal patch on slapo-ppolicy.5 manpage to clarify that.

Thanks in advance,
Matthieu Cerda

From c6c03415e73fe762ee8f77d3e3cad97834913d00 Mon Sep 17 00:00:00 2001
From: Matthieu Cerda <matthieu.cerda@nbs-system.com>
Date: Tue, 3 Jan 2017 14:45:37 +0100
Subject: [PATCH] Clarify slapo-ppolicy manpage about rootdn absence possible

 doc/man/man5/slapo-ppolicy.5 | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5
index 8306f9761..6d3edb9c4 100644
--- a/doc/man/man5/slapo-ppolicy.5
+++ b/doc/man/man5/slapo-ppolicy.5
@@ -28,7 +28,12 @@ Note that some of the policies do not take effect when the operation
 is performed with the
 .B rootdn
 identity; all the operations, when performed with any other identity,
-may be subjected to constraints, like access control.
+may be subjected to constraints, like access control. It means that
+not defining a
+.B rootdn
+in your configuration is likely to lead to undesirable behavior (like
+account locking using pwdLockout not working properly) unless you have
+appropriate access control entries.
 Note that the IETF Password Policy proposal for LDAP makes sense
 when considering a single-valued password attribute, while 

Attachment: signature.asc
Description: OpenPGP digital signature