You are viewing a plain text version of this content. The canonical link for it is here.

Posted to api@directory.apache.org by Shawn McKinney <sm...@apache.org> on 2021/04/06 13:17:40 UTC

Relax Control and password policies

Due to changes that are now in the OpenLDAP mainline and part of their 2.5 beta release, password policies work a bit differently.

First, the schema ppolicy.schema is built in and isn’t included as entry in the slapd config.  This change doesn’t have relevance here as it’s an implementation detail.

The second change does apply here.  It requires following the RFC standard for client induced changes to the operational attributes on the user entry that help manage pw polices.

Specifically, when editing values like pwdLockout and pwdPolicySubentry, the relax control must be included in the request before the server will make any changes.

I’ve created a ticket to carry these associated changes into fortress:

[Support Relax Control](https://issues.apache.org/jira/browse/FC-291)

What may be interesting here is that I didn't find this control as an existing API support, per:

http://directory.apache.org/api/user-guide/6.7-control.html#managedsait

So, I built one.  I followed this good example:

http://directory.apache.org/api/internal-design-guide/13-controls.html

The code’s in a branch:

[RelaxControl (interface)](https://github.com/apache/directory-fortress-core/blob/relax/src/main/java/org/apache/directory/fortress/core/ldap/RelaxControl.java)

[RelaxControlImpl]
(https://github.com/apache/directory-fortress-core/blob/relax/src/main/java/org/apache/directory/fortress/core/ldap/RelaxControlImpl.java)

[RelaxControlDecorator]
(https://github.com/apache/directory-fortress-core/blob/relax/src/main/java/org/apache/directory/fortress/core/ldap/RelaxControlDecorator.java)

I’m fine with maintaining this as part of the fortress core but thought it might useful as part of the API.  

Let me know if this should be included as part of the API codebase.

Thanks,

—
Shawn


---------------------------------------------------------------------
To unsubscribe, e-mail: api-unsubscribe@directory.apache.org
For additional commands, e-mail: api-help@directory.apache.org