On 4/15/20 6:44 PM, Quanah Gibson-Mount wrote: > --On Wednesday, April 15, 2020 7:40 PM +0200 Clément OUDOT > <[email protected]> wrote: >> I have done some tests today, I did not find a solution. >> >> I tried to give the "manage" right to a service account, and then use the >> relax or ManageDSAIT controls to force the change of a password which is >> too short, it is always rejected. The modification is only accepted if it >> is done by rootdn. > > Correct, this is a deficiency in the current implementation. Ties in > somewhat to <https://bugs.openldap.org/show_bug.cgi?id=9211>
In general I agree that there are real deficiencies regarding access control for extended controls and extended operations. But I disagree to call it a deficiency that it's not possible to violate minimum password length constraint with a relax control or similar. This has to be carefully considered and decided for each possible use-case. Ciao, Michael.
