On Fri, Mar 22, 2013 at 7:04 PM, Emmanuel Lécharny <[email protected]>wrote:
> Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit : > > Hi guys, > > > > We have an issue in the server where the admin (uid=admin,ou=system) > > account can get locked > > permanently based on the ppolicy configuration to lock accounts [1]. > > > > IMO we should allow all user and admin accounts to get locked > > permanently (again, based on the ppolicy config) > > except the system's built-in admin account (uid=admin,ou=system). > This > > is just to prevent any abuse involving a > > regular admin account. > > Let me sum up : > - any user can be locked permanently > - admin users may also be locked permanently > - the super-admin cannot be locked permanently > > correct ? (If so, my +1) > > yes > That raises another question here (see [2]) : > > - assuming that [2] is solved, the super admin can unlock all the users > *and* all the admins ? > yes > - a 'normal' admin can only lock users, not admins ? > > yes > PS : admins are the account present in the administrators branch atm. > Won't it make sense to get rid of such a distinction, and to uses ACI > instead ? > > +1 , we have to fix DefaultCoreSession's isAnAdministrator() method for this > [1] https://issues.apache.org/jira/browse/DIRSERVER-1812 > > [2] https://issues.apache.org/jira/browse/DIRSERVER-1813 > > > > > > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com > > -- Kiran Ayyagari http://keydap.com
