[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Possible ppolicy override for other than rootDN



On Wed, 5 Jun 2013 12:08:50 +0200 (CEST) Christian Kratzer <ck-lists@cksoft.de>
wrote
> On Wed, 5 Jun 2013, Michael StrÃder wrote:
> 
> > On Wed, 5 Jun 2013 10:57:10 +0200 (CEST) Christian Kratzer
> > <ck-lists@cksoft.de> wrote
> >> We have a customer setup where the corporate identity management
> >> applications provisions users to the directory, resets their passwords
> >> etc... >>
> >> The tool binds as a specific user and we permit write access to
> >> appropriate subtress via an acl.
> >>
> >> The customer also uses password policy to enforce policy in ldap.
> >>
> >> The problem we have is that the idm tool is obivously also subject to the
> >> pwdMinAge and pwdSafeModify policies.  The tool never stores a users
> >> password so when pwdSafeModify is in effect it cannot provide the old
> >> password to satisfy the policy.  It obviously also cannot reset the
> >> password until pwdMinAge has elapsed.
> >>
> >> Giving the rootDN credentials to the tool is also not an option as we
> >> would like to keep audit logs clean and have the acl in place to stop the
> >> tool from writing all over the place.
> >>
> >> So we would like to override password policy for the idm tools bind user
> >> similarly as the rootDN is already able to bypass policy.
> >
> > If it's not already implemented I'd recommend this feature request:
> > 1. limit such a write operation to a user which has 'manage' access to the
> > attributes and
> > 2. enable overriding only if the client sends Relax Rules Control along
> > with the LDAP write request.
> 
> So one would need to check for manage access to userPassword an if the
> relax control rule has been sent in this request.
> 
> I will try searching the code to see if any of that is readily accessible 
> in the context needed for the check.  I have not looked to deep in the
> openldap code yet to fully understand the internal archicture.

It's already done like this e.g. for write access to operational attribute
'pwdHistory'.

Ciao, Michael.