[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8267) contributing a new overlay unicodepw



2015-10-25 9:28 GMT+01:00 Howard Chu <hyc@symas.com>:
> Ingo Voss wrote:
>>
>>
>>
>> Am 17.10.2015 um 20:58 schrieb Howard Chu:
>>>
>>> ingo.voss@gmail.com wrote:
>>>>
>>>> Full_Name: Ingo Voss
>>>> Version:
>>>> OS:
>>>> URL: ftp://ftp.openldap.org/incoming/contrib-slapd-modules-unicodepw.tar
>>>> Submission from: (NULL) (78.53.86.212)
>>>>
>>>>
>>>> Hello,
>>>>
>>>> I wrote a small overlay, that restricts all LDAP modification requests,
>>>> so
>>>> that
>>>> only password changes for MS unicodePwd are possible.
>>>> All  other  LDAP requests will not be observed.
>>>> If someone needs a read-only proxy (in a e.g. dmz) for an MS Active
>>>> Directory,
>>>> but password changes must be possible, then unicodepw is the right
>>>> overlay.
>>>> For more informations, a manual page is included.
>>>
>>>
>>> If you want a read-only proxy, shouldn't this overlay also intercept and
>>> deny all Add/Delete/ModDN requests?
>>>
>>
>> Yes, you are right! But such overlay (denyop) exist already and it is
>> working
>> well.
>> The manual page for unicodepw refers to denyop and describes the complete
>> configuration in detail.
>
>
> OK.
>
> This code is full of C++ comments. OpenLDAP uses C comments only.
>
> This code is full of SPACEs for indentation. OpenLDAP uses TAB characters
> for indentation, with 4-column tab stops.

OK, I'll change that.

>
> Your debug messages are using STATS debug level. STATS is reserved for LDAP
> operation/parameter logging only and is the default level. Code should be
> silent at the default level unless major errors have occurred.

Please can you guide me what log level should be used for such
security related messages?
The messages are only logged, if a password is changed. (Normally,
password changes are very seldom and makes low noise.)

Thanks Ingo