upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-20 22:59:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

ITS#9343 Adapt documentation to explain new behaviour

Browse source
This commit is contained in:
Ondřej Kuzník 2023-02-23 12:07:09 +00:00
parent 7aaee92f0a
commit 2414e4a96b
1 changed files with 128 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

153
doc/man/man5/slapo-ppolicy.5
View file

@ -55,22 +55,6 @@ after the
.B overlay .B overlay
directive. directive.
.TP .TP
.B ppolicy_rules <LDAP URI> <policyDN>
Specify which pwdPolicy object to use when no specific policy is set on
a given user's entry. If there is no pwdPolicySubentry set, the URIs are
checked in order and the first one to match will apply. If one is selected
and the object at
.B policyDN
does not exist or is not a password policy, then no policies will be
enforced.
.TP
.B ppolicy_default <policyDN>
Specify the DN of the pwdPolicy object to use when no specific policy is
set on a given user's entry and none of the
.B ppolicy_rules
apply. If there is no specific policy for an entry
and no default is given, then no policies will be enforced.
.TP
.B ppolicy_forward_updates .B ppolicy_forward_updates
Specify that policy state changes that result from Bind operations (such Specify that policy state changes that result from Bind operations (such
as recording failures, lockout, etc.) on a consumer should be forwarded as recording failures, lockout, etc.) on a consumer should be forwarded
@ -129,6 +113,117 @@ Note: Use of a
is a non-standard extension to the LDAP password is a non-standard extension to the LDAP password
policy proposal. policy proposal.
.HP
.hy 0
.B ppolicy_rules
.B [dn[.<dnstyle>]=<DN/regex>]
.B [require_password=yes|no]
.B [filter=<filter str>]
.B [group[.expand][/<objectclass>[/<attribute>]]=<DN/pattern>]
.B no_policy|policy_dn=<policyDN>|policy_dn.expand=<pattern>
.B [stop|continue]
.RS
Specify which pwdPolicy object to use when no specific policy is set on
a given user's entry. The rules are checked in order and the
first one to match will apply (but see the
.B continue
action). If a rule that specifies
.B no_policy
is selected or the selected
.B policyDN
is an entry with objectclass
.B pwdPolicy
but its contents are not valid, then no policies will be
enforced.
When checking whether a rule applies,
.B ppolicy
checks:
.RS
.IP \[bu] 2
The entry's DN against the
.BR dn[.<dnstyle>]
.IP \[bu]
If
.B require_password
is
.BR yes
(the default), presence of the password attribute (currently only
.BR userPassword )
.IP \[bu]
The entry's contents against the
.BR filter
.IP \[bu]
Whether it is considered a member of the group specified in
.BR group[.expand]
.RE
All of which are optional. Matching and meaning of
.B <dnstyle>
and
.B expand
loosely follow that described in
.BR slapd.access (5)
except that the expansions in the pattern space are slightly more
limited, only the
.B $<digit>
form is supported at the moment and only if
.B dnstyle
is
.BR regex .
It then tries to retrieve
.B policyDN
and check that its objectclass is
.BR pwdPolicy .
If all of the rule checks pass, behaviour depends on the
.B action
keyword
.RB ( stop | continue ).
If
.B action
is
.BR stop
(the default), processing ends here with policy that was just
chosen (or the
.B no_policy
decision). If
.B action
is
.BR continue ,
the decision is remembered, processing continues and can be
overriden by later rules.
The way to configure this in
.B cn=config
is through child entries under the overlay entry with objectclass
.B olcPPolicyRegexRule
for regex-based DN matching and
.B olcPPolicyScopedRule
for any other
.BR <dnstyle> .
.RE
.TP
.B ppolicy_default <policyDN>
Specify the DN of the pwdPolicy object to use when no specific policy is
set on a given user's entry and none of the
.B ppolicy_rules
matched. If there is no specific policy for an entry and no
default is given, then no policies will be enforced. This option
is deprecated in favour of
.B ppolicy_rules
and support for it will be removed in a future release. It
behaves as if the following rule was the first rule in
.BR ppolicy_rules :
.RS
.LP
.nf
ppolicy_rules policyDN=<policyDN> continue
.fi
.LP
.RE
.SH OBJECT CLASS .SH OBJECT CLASS
The The
@ -783,16 +878,24 @@ its definition.
This attribute refers directly to the This attribute refers directly to the
.B pwdPolicy .B pwdPolicy
subentry that is to be used for this particular directory user. subentry that is to be used for this particular directory user.
If Every account that should be subject to password policy control will
.B pwdPolicySubentry have a
exists, it must contain the DN of a valid .B
pwdPolicySubentry
attribute containing the DN of a
.B pwdPolicy .B pwdPolicy
object. If it does not exist, the entry. The module will use the one stored in the DB if it
.B ppolicy exists, otherwise it will attempt to derive the correct policy to
module will enforce the default password policy rules on the apply based on the rules it has been configured with, see
user associated with this authenticating DN. If there is no .BR ppolicy_rules / olcPPolicyScopedRule / olcPPolicyRegexRule
default, or the referenced subentry does not exist, then no configuration options. In this way different users may be managed
policy rules will be enforced. according to configurable policies. The value of the effective
policy DN will be returned if requested in a search request but
this is a virtual attribute and is
.B not
usable in a filter. Modifying/adding this attribute directly is
.B deprecated
and the ability to do so will be removed in a future release.
.LP .LP
.RS 4 .RS 4
( 1.3.6.1.4.1.42.2.27.8.1.23 ( 1.3.6.1.4.1.42.2.27.8.1.23