The current implementation of PWM (trunk) contains a dependency for
performReplicaSyncCheck on a succesfull updateLastUpdateAttribute. If you want
to make use of Replication Checking, the Passwd last update Attribute needs to
be writable. For at least AD and eDirectory this is a constraint, because those
Directories already have a read-only attribute (AD: pwdLastSet/ EDIR:
pwdChangedTime) to handle the Passwd last update timestamp. With the current
implementation of updateLastUpdateAttribute and performReplicaSyncCheck it is
not possible to use those native Directory attributes. It would be nice if the
aux attribute pwmLastPwdUpdate is only required if there is no native Directory
attribute to handle the Passwd last update timestamp. With the current build
the extra attribute is mandatory if you want to do Replication Checking.
My enhancement proposal suggests to implement the performReplicaSyncCheck
independed of a writable Passwd last update attribute. Besides the current
passwordLastUpdateAttribute config setting, there could be a second
passwordReplicationCheckAttribute setting. This could be done like this:
<setting key="passwordLastUpdateAttribute" level="1">
<label>Last Password Update Attribute</label>
<description><![CDATA[This attribute is used to mark the timestamp when the password is updated. If empty, PWM assumes writes are done by the directory itself)).]]></description>
<regex>^[a-zA-Z][a-zA-Z0-9-]*$</regex>
<default>
<value><![CDATA[pwmLastPwdUpdate]]></value>
</default>
<default template="AD">
<value />
</default>
<default template="ADDB">
<value />
</default>
<default template="NOVL">
<value />
</default>
</setting>
<setting key="passwordReplicationCheckAttribute" level="1">
<label>Password Replication Check Attribute</label>
<description><![CDATA[The attribute that is used during replication checks when the password is updated. If empty, this feature will be disabled.]]></description>
<regex>^[a-zA-Z][a-zA-Z0-9-]*$</regex>
<default>
<value><![CDATA[pwmLastPwdUpdate]]></value>
</default>
<default template="AD">
<value><![CDATA[pwdLastSet]]></value>
</default>
<default template="ADDB">
<value><![CDATA[pwdLastSet]]></value>
</default>
<default template="NOVL">
<value><![CDATA[pwdChangedTime]]></value>
</default>
</setting>
In this way you can choose wether you want to use the native Directory
implementation or a custom Attribute for the Last Password Update Attribute.
This requires some minor code changes to support the logic in the description.
Attached a proposed patch to accomplish this.
Original issue reported on code.google.com by sebastia...@gmail.com on 24 May 2013 at 2:06
Original issue reported on code.google.com by
sebastia...@gmail.com
on 24 May 2013 at 2:06Attachments: