search

389ds / 389-ds-base

The enterprise-class Open Source LDAP server for Linux
https://www.port389.org/
Other
211 stars 91 forks source link

Need a tool for Password Policy and Account Usable controls #5084

Open antbob opened 2 years ago

antbob commented 2 years ago

Is your feature request related to a problem? Please describe.

389ds supports both draft-behera-ldap-password-policy and old Sun 1.3.6.1.4.1.42.2.27.9.5.8 Account usable controls that provide the end users and admins alike the exact details of user account status. This is very useful, especially for admins, to figure out particular user account status and relevant details eg if account is locked and if so why eg lockout limit, password expired, password reset etc.

Since 389ds switch to OpenLDAP client currently no 389ds bundled tool can process and convey such information properly so the only choice is too either use 3rd party tools from 3rd party sources that pull on other dependencies with the baggage of unknown support status or write your own (which can get tricky, and i would know since i actually wrote related LDAP C SDK API back when at Sun).

Describe the solution you'd like

An easy to use, bundled tool, that can parse and convey account status / password policy related state for users.

Describe alternatives you've considered

Old Mozilla LDAP C SDK had support for Account Usable control and the tools probably did too (or there was a DSRK tool just for that, i cant recall now). OpenLDAP only supports behera draft but while the API is fully implemented the support for client tools is lacking "-e 'ppolicy'" only reports password expiration. OpenDS/DJ tools is probably the only practical alternative available today.

Additional context

While it should be possible to get OpenLDAP tools up to date (or piggyback on 'ldapvc' tool) I reckon a simple standalone bundled tool is ultimately a better approach. It can support both Account Usable and Password Policy controls and Proxy Authz (for admin use) and not be tied to the semantics of specific operation/s.

Firstyear commented 2 years ago

@mreynolds389 Doesn't dsidm account status already satisfy this if I'm not mistaken?

antbob commented 2 years ago

@Firstyear I have tried dsidm account entry-status btw but it doesnt catch things like account lockout (eg 3 incorrect cred binds). It seem to only display some very basic information you can already get via ldapsearch. perhaps it can be enhanced to parse account usable and pwp instead of doing a separate tool?!

Firstyear commented 2 years ago

I think if there is some of these possible account settings missing, we could improve lib389 and dsidm account to show these yes. :)