On Wed, 5 Jun 2013 10:57:10 +0200 (CEST) Christian Kratzer <[email protected]> wrote > We have a customer setup where the corporate identity management applications > provisions users to the directory, resets their passwords etc... > > The tool binds as a specific user and we permit write access to appropriate > subtress via an acl. > > The customer also uses password policy to enforce policy in ldap. > > The problem we have is that the idm tool is obivously also subject to the > pwdMinAge and pwdSafeModify policies. The tool never stores a users password > so when pwdSafeModify is in effect it cannot provide the old password to > satisfy the policy. It obviously also cannot reset the password until > pwdMinAge has elapsed. > > Giving the rootDN credentials to the tool is also not an option as we would > like to keep audit logs clean and have the acl in place to stop the tool from > writing all over the place. > > So we would like to override password policy for the idm tools bind user > similarly as the rootDN is already able to bypass policy.
If it's not already implemented I'd recommend this feature request: 1. limit such a write operation to a user which has 'manage' access to the attributes and 2. enable overriding only if the client sends Relax Rules Control along with the LDAP write request. Ciao, Michael.
