On Fri, Mar 22, 2013 at 7:10 PM, Pierre-Arnaud Marcelot <[email protected]>wrote:
> > On 22 mars 2013, at 14:34, Emmanuel Lécharny <[email protected]> wrote: > > > Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit : > >> Hi guys, > >> > >> We have an issue in the server where the admin (uid=admin,ou=system) > >> account can get locked > >> permanently based on the ppolicy configuration to lock accounts [1]. > >> > >> IMO we should allow all user and admin accounts to get locked > >> permanently (again, based on the ppolicy config) > >> except the system's built-in admin account (uid=admin,ou=system). > This > >> is just to prevent any abuse involving a > >> regular admin account. > > > > Let me sum up : > > - any user can be locked permanently > > - admin users may also be locked permanently > > - the super-admin cannot be locked permanently > > > > correct ? (If so, my +1) > > My +1 too, if that's the case. > > > That raises another question here (see [2]) : > > > > - assuming that [2] is solved, the super admin can unlock all the users > > *and* all the admins ? > > - a 'normal' admin can only lock users, not admins ? > > > > PS : admins are the account present in the administrators branch atm. > > Won't it make sense to get rid of such a distinction, and to uses ACI > > instead ? > > IMO, admins should be able to unlock admins as well. > I'd expect it to work that way as a user, personally. > > +1, good idea > > I see the exception we would make on making the lock of the super-admin > impossible, more of a preventing measure to have at least one non-locked > bindable user that can unlock others. > > > Regards, > Pierre-Arnaud > > > > > > >> [1] https://issues.apache.org/jira/browse/DIRSERVER-1812 > > > > [2] https://issues.apache.org/jira/browse/DIRSERVER-1813 > > > > > >> > > > > > > -- > > Regards, > > Cordialement, > > Emmanuel Lécharny > > www.iktek.com > > > > -- Kiran Ayyagari http://keydap.com
