directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: [ApacheDS] preventing built-in admin account from getting locked permanently
Date Fri, 22 Mar 2013 13:41:21 GMT
On Fri, Mar 22, 2013 at 7:04 PM, Emmanuel Lécharny <elecharny@gmail.com>wrote:

> Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
> > Hi guys,
> >
> >      We have an issue in the server where the admin (uid=admin,ou=system)
> > account can get locked
> >      permanently based on the ppolicy configuration to lock accounts [1].
> >
> >      IMO we should allow all user and admin accounts to get locked
> > permanently (again, based on the ppolicy config)
> >      except the system's built-in admin account (uid=admin,ou=system).
> This
> > is just to prevent any abuse involving a
> >      regular admin account.
>
> Let me sum up :
> - any user can be locked permanently
> - admin users may also be locked permanently
> - the super-admin cannot be locked permanently
>
> correct ? (If so, my +1)
>
> yes

> That raises another question here (see [2]) :
>
> - assuming that [2] is solved, the super admin can unlock all the users
> *and* all the admins ?
>
yes

> - a 'normal' admin can only lock users, not admins ?
>
> yes

> PS : admins are the account present in the administrators branch atm.
> Won't it make sense to get rid of such a distinction, and to uses ACI
> instead ?
>
> +1 , we have to fix DefaultCoreSession's isAnAdministrator() method for
this

> [1] https://issues.apache.org/jira/browse/DIRSERVER-1812
>
> [2] https://issues.apache.org/jira/browse/DIRSERVER-1813
>
>
> >
>
>
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
View raw message