Re: Building openldap with overlays

[Michael Ströder <michael@stroeder.com>]

Howard Chu wrote:
> Kevin Spicer wrote:
>
> > On Sun, 2004-11-21 at 01:11, Howard Chu wrote:
> >  
> >
> > > Sounds like a flaw in the ppolicy schema definition. You can work
> > > around this by adding "NO-USER-MODIFICATION" to the definition of the 
> > > operational attributes in ppolicy.c. (Seems counter-intuitive, but it
> > > will work.)
> >
> > Yes, I worked that out after I posted by reading the code.  However what
> > I couldn't work out is that although none of the operational attrs have
> > "NO-USER-MODIFICATION" defined pwdFailureTime and pwdAccountLockedTime
> > still manage to update.  I  think they are being updated using the
> > rootdn
> Yes.
>
> Those attributes are modified during a Bind operation, and no other 
> attributes are being touched.

And what happens to 'modifiersName' and 'modifyTimestamp'?

> During a Modify/Password operation, 
> multiple attributes are being modified, some requested by the user, so 
> the operation must be performed as the user.

Hmm, are there any security considerations with 'pwdFailureTime' and 
'pwdAccountLockedTime' being modifiable by the user?

Ciao, Michael.