directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: [ApacheDS] preventing built-in admin account from getting locked permanently
Date Fri, 22 Mar 2013 13:34:32 GMT
Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
> Hi guys,
>
>      We have an issue in the server where the admin (uid=admin,ou=system)
> account can get locked
>      permanently based on the ppolicy configuration to lock accounts [1].
>
>      IMO we should allow all user and admin accounts to get locked
> permanently (again, based on the ppolicy config)
>      except the system's built-in admin account (uid=admin,ou=system). This
> is just to prevent any abuse involving a
>      regular admin account.

Let me sum up :
- any user can be locked permanently
- admin users may also be locked permanently
- the super-admin cannot be locked permanently

correct ? (If so, my +1)

That raises another question here (see [2]) :

- assuming that [2] is solved, the super admin can unlock all the users
*and* all the admins ?
- a 'normal' admin can only lock users, not admins ?

PS : admins are the account present in the administrators branch atm.
Won't it make sense to get rid of such a distinction, and to uses ACI
instead ?

> [1] https://issues.apache.org/jira/browse/DIRSERVER-1812

[2] https://issues.apache.org/jira/browse/DIRSERVER-1813


>


-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com 


Mime
View raw message