On 22 mars 2013, at 14:34, Emmanuel Lécharny <[email protected]> wrote:
> Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit : >> Hi guys, >> >> We have an issue in the server where the admin (uid=admin,ou=system) >> account can get locked >> permanently based on the ppolicy configuration to lock accounts [1]. >> >> IMO we should allow all user and admin accounts to get locked >> permanently (again, based on the ppolicy config) >> except the system's built-in admin account (uid=admin,ou=system). This >> is just to prevent any abuse involving a >> regular admin account. > > Let me sum up : > - any user can be locked permanently > - admin users may also be locked permanently > - the super-admin cannot be locked permanently > > correct ? (If so, my +1) My +1 too, if that's the case. > That raises another question here (see [2]) : > > - assuming that [2] is solved, the super admin can unlock all the users > *and* all the admins ? > - a 'normal' admin can only lock users, not admins ? > > PS : admins are the account present in the administrators branch atm. > Won't it make sense to get rid of such a distinction, and to uses ACI > instead ? IMO, admins should be able to unlock admins as well. I'd expect it to work that way as a user, personally. I see the exception we would make on making the lock of the super-admin impossible, more of a preventing measure to have at least one non-locked bindable user that can unlock others. Regards, Pierre-Arnaud > >> [1] https://issues.apache.org/jira/browse/DIRSERVER-1812 > > [2] https://issues.apache.org/jira/browse/DIRSERVER-1813 > > >> > > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com >
