[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Checking that account is locked



Radovan Semancik wrote:
> I'm glad that you confirmed that. I was afraid that I'm overlooking something
> essential here.
> 
> On 06/15/2016 10:14 PM, Clément OUDOT wrote:
>> Well, if there is a default ppolicy configured, and yes you need to search it
>> in cn=config, but it can also be a configuration parameter on your side. If
>> there is not, the policy will be defined in pwdPolicySubentry, so you can
>> directly request it.
> 
> Yes, theoretically I can have configuration parameter on my side. But
> practically that is asking for trouble during operation and maintenance. If the
> pointer to default password policy in OpenLDAP changes I'm quite sure nobody
> will think about updating the configuration of my application.

The caveat with reading cn=config is that you might not be allowed doing so. One
would need fine-grained read ACLs to avoid e.g. revealing the rootpw hash to an
application. Well, on my systems there is no rootpw hash but you get the idea.

AFAIK other LDAP servers (e.g. OpenDJ) has two operational attributes:

1. 'pwdPolicySubentry' is set in every entry and therefore always points to the
effective (default) pwdPolicy entry.

2. Another attribute (IIRC 'ds-pwp-password-policy-dn') is for setting an
individual pwdPolicy entry to be used for a particular entry overriding the
default value.

I'd love to see something like this standardized and implemented in OpenLDAP.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature