Re: rootdn & password policy

2020-04-15 Thread Quanah Gibson-Mount 




--On Wednesday, April 15, 2020 8:49 PM +0200 Michael Ströder 
 wrote:



But I disagree to call it a deficiency that it's not possible to violate
minimum password length constraint with a relax control or similar. This
has to be carefully considered and decided for each possible use-case.


I was talking more the original use case -- That you can't create an admin 
user (or group of admin users) that can reset a user's password (not that 
you can violate the policy around those passwords).  That was the original 
request:


"Is there a way to create the admin user so that this user can have the 
same privilege as rootdn and I don't need to bind as rootdn in my 
application?"


--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: rootdn & password policy

2020-04-15 Thread Michael Ströder 
On 4/15/20 6:44 PM, Quanah Gibson-Mount wrote:
> --On Wednesday, April 15, 2020 7:40 PM +0200 Clément OUDOT
>  wrote:
>> I have done some tests today, I did not find a solution.
>>
>> I tried to give the "manage" right to a service account, and then use the
>> relax or ManageDSAIT controls to force the change of a password which is
>> too short, it is always rejected. The modification is only accepted if it
>> is done by rootdn.
> 
> Correct, this is a deficiency in the current implementation.  Ties in
> somewhat to 

In general I agree that there are real deficiencies regarding access
control for extended controls and extended operations.

But I disagree to call it a deficiency that it's not possible to violate
minimum password length constraint with a relax control or similar. This
has to be carefully considered and decided for each possible use-case.

Ciao, Michael.

Re: rootdn & password policy

2020-04-15 Thread Hannah Chenh 
Thanks, Clement for testing.  I agree. Looks like it can only be done by
rootdn.

On Wed, Apr 15, 2020 at 9:40 AM Clément OUDOT 
wrote:

>
> Le 13/04/2020 à 19:34, Hannah Chenh a écrit :
>
> Hello,
>
> I have a question related to rootdn and password policy.
>
> I understand that the rootdn can bypass all restrictions.
>
> We have a requirement to bypass a password policy for the admin user.
>
> Is there a way to create the admin user so that this user can have the same 
> privilege as rootdn and I don't need to bind as rootdn in my application?
>
> Currently I have granted the following to the admin_user:
>
>  ===
>
> dn: olcDatabase={2}hdb,cn=config
>
>
> changetype: modify
>
>
> add: olcAccess
>
>
> olcAccess: {0}to attrs=userPassword
>
>
>   by self write
>
>
>   by anonymous auth
>
>
>   by dn.base="cn=Manager,dc=abcdomain,dc=com" write
>   by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" 
> write
>
>
>   by * none
>
>
> olcAccess: {1}to *
>
>
>   by self write
>
>
>   by dn.base="cn=Manager,dc=abcdomain,dc=com" write
>   by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" 
> write
>
>
>   by * read
>
> ===
>
> Any help would be appreciated.
>
>
> I have done some tests today, I did not find a solution.
>
> I tried to give the "manage" right to a service account, and then use the
> relax or ManageDSAIT controls to force the change of a password which is
> too short, it is always rejected. The modification is only accepted if it
> is done by rootdn.
>
> --
> Clément Oudot | Identity Solutions Manager
> clement.ou...@worteks.com
>
> Worteks | https://www.worteks.com
>
>

Re: rootdn & password policy

2020-04-15 Thread Quanah Gibson-Mount 




--On Wednesday, April 15, 2020 7:40 PM +0200 Clément OUDOT 
 wrote:




I have done some tests today, I did not find a solution.

I tried to give the "manage" right to a service account, and then use the
relax or ManageDSAIT controls to force the change of a password which is
too short, it is always rejected. The modification is only accepted if it
is done by rootdn.


Correct, this is a deficiency in the current implementation.  Ties in 
somewhat to 


Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: rootdn & password policy

2020-04-15 Thread Clément OUDOT 

Le 13/04/2020 à 19:34, Hannah Chenh a écrit :
> Hello,
> I have a question related to rootdn and password policy.
> I understand that the rootdn can bypass all restrictions.
> We have a requirement to bypass a password policy for the admin user.  
> Is there a way to create the admin user so that this user can have the same 
> privilege as rootdn and I don't need to bind as rootdn in my application?
> Currently I have granted the following to the admin_user:
>  ===
> dn: olcDatabase={2}hdb,cn=config changetype: modify add: olcAccess
> olcAccess: {0}to attrs=userPassword       by self write       by
> anonymous auth       by dn.base="cn=Manager,dc=abcdomain,dc=com" write
>       by dn.base="uid=admin_user,ou=Service
> Accounts,dc=abcdomain,dc=com" write       by * none olcAccess: {1}to *
>       by self write       by dn.base="cn=Manager,dc=abcdomain,dc=com"
> write       by dn.base="uid=admin_user,ou=Service
> Accounts,dc=abcdomain,dc=com" write       by * read
>
> ===
> Any help would be appreciated.


I have done some tests today, I did not find a solution.

I tried to give the "manage" right to a service account, and then use
the relax or ManageDSAIT controls to force the change of a password
which is too short, it is always rejected. The modification is only
accepted if it is done by rootdn.

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com

Re: rootdn & password policy

2020-04-14 Thread Dieter Klünter 
Am Tue, 14 Apr 2020 16:26:20 +0200
schrieb Dieter Klünter :

> Am Mon, 13 Apr 2020 10:34:36 -0700
> schrieb Hannah Chenh :
> 
> > Hello,
> > 
> > I have a question related to rootdn and password policy.
> > 
> > I understand that the rootdn can bypass all restrictions.
> > 
> > We have a requirement to bypass a password policy for the admin
> > user.
> > 
> > Is there a way to create the admin user so that this user can have
> > the same privilege as rootdn and I don't need to bind as rootdn in
> > my application?
> > 
> > Currently I have granted the following to the admin_user:
> [...] 
>  
> > 
> > Any help would be appreciated.
> 
> man slapo-ppolicy(5) read on pwdPolicy objectclass, and
> pwdPolicySubentry.
> Create a policy subtree und add all users policy objects to this
> subtree.

Sorry, my bad, this is rubbish. It should have been the answer to a
different list.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: rootdn & password policy

2020-04-14 Thread Dieter Klünter 
Am Mon, 13 Apr 2020 10:34:36 -0700
schrieb Hannah Chenh :

> Hello,
> 
> I have a question related to rootdn and password policy.
> 
> I understand that the rootdn can bypass all restrictions.
> 
> We have a requirement to bypass a password policy for the admin user.
> 
> Is there a way to create the admin user so that this user can have the
> same privilege as rootdn and I don't need to bind as rootdn in my
> application?
> 
> Currently I have granted the following to the admin_user:
[...] 
 
> 
> Any help would be appreciated.

man slapo-ppolicy(5) read on pwdPolicy objectclass, and
pwdPolicySubentry.
Create a policy subtree und add all users policy objects to this
subtree.

-Dieter

--- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

rootdn & password policy

2020-04-13 Thread Hannah Chenh 
Hello,

I have a question related to rootdn and password policy.

I understand that the rootdn can bypass all restrictions.

We have a requirement to bypass a password policy for the admin user.

Is there a way to create the admin user so that this user can have the
same privilege as rootdn and I don't need to bind as rootdn in my
application?

Currently I have granted the following to the admin_user:

 ===

dn: olcDatabase={2}hdb,cn=config


changetype: modify


add: olcAccess


olcAccess: {0}to attrs=userPassword


  by self write


  by anonymous auth


  by dn.base="cn=Manager,dc=abcdomain,dc=com" write
  by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write


  by * none


olcAccess: {1}to *


  by self write


  by dn.base="cn=Manager,dc=abcdomain,dc=com" write
  by dn.base="uid=admin_user,ou=Service Accounts,dc=abcdomain,dc=com" write


  by * read

===

Any help would be appreciated.

Thanks,

Hannah