directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <kayyag...@apache.org>
Subject Re: [ApacheDS] preventing built-in admin account from getting locked permanently
Date Fri, 22 Mar 2013 13:55:15 GMT
On Fri, Mar 22, 2013 at 7:10 PM, Pierre-Arnaud Marcelot <pa@marcelot.net>wrote:

>
> On 22 mars 2013, at 14:34, Emmanuel Lécharny <elecharny@gmail.com> wrote:
>
> > Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
> >> Hi guys,
> >>
> >>     We have an issue in the server where the admin (uid=admin,ou=system)
> >> account can get locked
> >>     permanently based on the ppolicy configuration to lock accounts [1].
> >>
> >>     IMO we should allow all user and admin accounts to get locked
> >> permanently (again, based on the ppolicy config)
> >>     except the system's built-in admin account (uid=admin,ou=system).
> This
> >> is just to prevent any abuse involving a
> >>     regular admin account.
> >
> > Let me sum up :
> > - any user can be locked permanently
> > - admin users may also be locked permanently
> > - the super-admin cannot be locked permanently
> >
> > correct ? (If so, my +1)
>
> My +1 too, if that's the case.
>
> > That raises another question here (see [2]) :
> >
> > - assuming that [2] is solved, the super admin can unlock all the users
> > *and* all the admins ?
> > - a 'normal' admin can only lock users, not admins ?
> >
> > PS : admins are the account present in the administrators branch atm.
> > Won't it make sense to get rid of such a distinction, and to uses ACI
> > instead ?
>
> IMO, admins should be able to unlock admins as well.
> I'd expect it to work that way as a user, personally.
>
> +1, good idea

>
> I see the exception we would make on making the lock of the super-admin
> impossible, more of a preventing measure to have at least one non-locked
> bindable user that can unlock others.
>
>
> Regards,
> Pierre-Arnaud
>
>
>
> >
> >> [1] https://issues.apache.org/jira/browse/DIRSERVER-1812
> >
> > [2] https://issues.apache.org/jira/browse/DIRSERVER-1813
> >
> >
> >>
> >
> >
> > --
> > Regards,
> > Cordialement,
> > Emmanuel Lécharny
> > www.iktek.com
> >
>
>


-- 
Kiran Ayyagari
http://keydap.com

Mime
View raw message