https://bugs.openldap.org/show_bug.cgi?id=9671
--- Comment #6 from Ondřej Kuzník <[email protected]> --- On Wed, Sep 08, 2021 at 09:52:49AM +0000, [email protected] wrote: > --- Comment #4 from Michael Ströder <[email protected]> --- > (In reply to Ondřej Kuzník from comment #3) >> I've already had to >> make changes to the local version where things were omitted: >> https://git.openldap.org/openldap/openldap/-/commit/ >> 2b007d01dbd924cf11f88c2f8dbba26b5ba8b593 > > Hmm, not sure whether that leads to more interoperability. > >> Sounds like adding manage permissions on the attribute (and maybe the >> "entry" attribute) could be a targeted way of allowing this operation? > > I strongly dislike having to use the Relax Rules control to let the admin > change pwdPolicySubentry. IMO this control must only be used in exceptional > administrative use-cases. I have a very strong opinion on this. > > In my local OpenLDAP 2.5.x builds I now simply remove NO-USER-MODIFICATION. > > Ideally I'd prefer not having to deal with pwdPolicySubentry at all. But until > ITS#9343 is implemented NO-USER-MODIFICATION should be removed. > > Another solution would be to have a separate attribute fooPasswordPolicy (or > whatever name you'd prefer) for overriding per entry the computed > pwdPolicySubentry. It also allows to always compute the effective > pwdPolicySubentry including applying defaults. This is the approach at least > one other LDAP server implements. That sounds like something we might be able to pursue as it's a viable reading of the draft. It would need a database reload with the attribute renamed so not something I can see us doing before 2.7 (it's too late for 2.6 now), we could do this alongside ITS#9343. That means we still have to decide whether the pwdPolicySubentry status should be reverted back and in which release. Regards, -- You are receiving this mail because: You are on the CC list for the issue.
