directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre-Arnaud Marcelot ...@marcelot.net>
Subject Re: [ApacheDS] preventing built-in admin account from getting locked permanently
Date Fri, 22 Mar 2013 13:40:45 GMT

On 22 mars 2013, at 14:34, Emmanuel Lécharny <elecharny@gmail.com> wrote:

> Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
>> Hi guys,
>> 
>>     We have an issue in the server where the admin (uid=admin,ou=system)
>> account can get locked
>>     permanently based on the ppolicy configuration to lock accounts [1].
>> 
>>     IMO we should allow all user and admin accounts to get locked
>> permanently (again, based on the ppolicy config)
>>     except the system's built-in admin account (uid=admin,ou=system). This
>> is just to prevent any abuse involving a
>>     regular admin account.
> 
> Let me sum up :
> - any user can be locked permanently
> - admin users may also be locked permanently
> - the super-admin cannot be locked permanently
> 
> correct ? (If so, my +1)

My +1 too, if that's the case.

> That raises another question here (see [2]) :
> 
> - assuming that [2] is solved, the super admin can unlock all the users
> *and* all the admins ?
> - a 'normal' admin can only lock users, not admins ?
> 
> PS : admins are the account present in the administrators branch atm.
> Won't it make sense to get rid of such a distinction, and to uses ACI
> instead ?

IMO, admins should be able to unlock admins as well.
I'd expect it to work that way as a user, personally.


I see the exception we would make on making the lock of the super-admin impossible, more of
a preventing measure to have at least one non-locked bindable user that can unlock others.


Regards,
Pierre-Arnaud



> 
>> [1] https://issues.apache.org/jira/browse/DIRSERVER-1812
> 
> [2] https://issues.apache.org/jira/browse/DIRSERVER-1813
> 
> 
>> 
> 
> 
> -- 
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com 
> 


Mime
View raw message