On Wed, 5 Jun 2013 12:08:50 +0200 (CEST) Christian Kratzer <[email protected]> wrote > On Wed, 5 Jun 2013, Michael Ströder wrote: > > > On Wed, 5 Jun 2013 10:57:10 +0200 (CEST) Christian Kratzer > > <[email protected]> wrote > >> We have a customer setup where the corporate identity management > >> applications provisions users to the directory, resets their passwords > >> etc... >> > >> The tool binds as a specific user and we permit write access to > >> appropriate subtress via an acl. > >> > >> The customer also uses password policy to enforce policy in ldap. > >> > >> The problem we have is that the idm tool is obivously also subject to the > >> pwdMinAge and pwdSafeModify policies. The tool never stores a users > >> password so when pwdSafeModify is in effect it cannot provide the old > >> password to satisfy the policy. It obviously also cannot reset the > >> password until pwdMinAge has elapsed. > >> > >> Giving the rootDN credentials to the tool is also not an option as we > >> would like to keep audit logs clean and have the acl in place to stop the > >> tool from writing all over the place. > >> > >> So we would like to override password policy for the idm tools bind user > >> similarly as the rootDN is already able to bypass policy. > > > > If it's not already implemented I'd recommend this feature request: > > 1. limit such a write operation to a user which has 'manage' access to the > > attributes and > > 2. enable overriding only if the client sends Relax Rules Control along > > with the LDAP write request. > > So one would need to check for manage access to userPassword an if the > relax control rule has been sent in this request. > > I will try searching the code to see if any of that is readily accessible > in the context needed for the check. I have not looked to deep in the > openldap code yet to fully understand the internal archicture.
It's already done like this e.g. for write access to operational attribute 'pwdHistory'. Ciao, Michael.
