On Fri, Mar 22, 2013 at 7:04 PM, Emmanuel Lécharny <elecharny@gmail.com> wrote:
Le 3/22/13 2:25 PM, Kiran Ayyagari a écrit :
> Hi guys,
>      We have an issue in the server where the admin (uid=admin,ou=system)
> account can get locked
>      permanently based on the ppolicy configuration to lock accounts [1].
>      IMO we should allow all user and admin accounts to get locked
> permanently (again, based on the ppolicy config)
>      except the system's built-in admin account (uid=admin,ou=system). This
> is just to prevent any abuse involving a
>      regular admin account.

Let me sum up :
- any user can be locked permanently
- admin users may also be locked permanently
- the super-admin cannot be locked permanently

correct ? (If so, my +1)

That raises another question here (see [2]) :

- assuming that [2] is solved, the super admin can unlock all the users
*and* all the admins ?
- a 'normal' admin can only lock users, not admins ?

PS : admins are the account present in the administrators branch atm.
Won't it make sense to get rid of such a distinction, and to uses ACI
instead ?

+1 , we have to fix DefaultCoreSession's isAnAdministrator() method for this

> [1] https://issues.apache.org/jira/browse/DIRSERVER-1812

[2] https://issues.apache.org/jira/browse/DIRSERVER-1813


Emmanuel Lécharny

Kiran Ayyagari