Le 08/03/15 05:33, brock samson a écrit : > Carlo, > > you are correct. pwdSafeModify value was TRUE. so after resetting it back to > FALSE and restarting, everything is working as you described in your last > post, thank you! > > however, the question remains to everyone else about pwdSafeModify > attribute's value being TRUE and an admin changing some user's password via > apache studio. as i stated in previous post, such action results in an error > where apache studio asks for user's original password. my question is how to > disclose this original password in apache studio?
I strongly suspect that the implemented logic is that it's seen as a Modify, thus it expect to have the old value - to delete it - and the new one ) to replace it. The thing is that a user may have more than one password, and on a modify operation, changing only one of the passwords will require to know whci of the passwords have to be removed (the old one). Now, considering the passwordPolicy implementation, this makes no sense : we should only have one single password for a user for the PP to be able to manage correctly the password, thus requiring the old password is nonsensical. This is something that need to be fixed. There is also one other thing that I don't like in the way the PP is handled : one should never have to enter the pwdPolicySubEntry attribute in an entry. But this is another problem that requires a full redesign off the PP implementation. Something we must discuss, it's not a simple task...
