Re: Building openldap with overlays

[Howard Chu <hyc@symas.com>]

Michael Ströder wrote:

> Howard Chu wrote:
>
> > Kevin Spicer wrote:
> >
> > > On Sun, 2004-11-21 at 01:11, Howard Chu wrote:
> > >  
> > >
> > > > Sounds like a flaw in the ppolicy schema definition. You can work
> > > > around this by adding "NO-USER-MODIFICATION" to the definition of 
> > > > the operational attributes in ppolicy.c. (Seems counter-intuitive, 
> > > > but it
> > > > will work.)
> > >
> > >
> > > Yes, I worked that out after I posted by reading the code.  However 
> > > what
> > > I couldn't work out is that although none of the operational attrs have
> > > "NO-USER-MODIFICATION" defined pwdFailureTime and pwdAccountLockedTime
> > > still manage to update.  I  think they are being updated using the
> > > rootdn
> > Yes.
> >
> > Those attributes are modified during a Bind operation, and no other 
> > attributes are being touched.
>
>
> And what happens to 'modifiersName' and 'modifyTimestamp'?

In the current module, nothing. It's obviously open to debate, but I 
don't believe an internal operation like this warrants updating those 
attributes.

> > During a Modify/Password operation, multiple attributes are being 
> > modified, some requested by the user, so the operation must be 
> > performed as the user.
>
> Hmm, are there any security considerations with 'pwdFailureTime' and 
> 'pwdAccountLockedTime' being modifiable by the user?

Certainly. As I said, it looks like this is a flaw in the schema 
definition, and it appears that draft 8 has the same defect. I don't 
recall if this was mentioned on the LDAPext discussion, will take a look.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support