search

reeee / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

[Enhancement] performReplicaSyncCheck is dependend on updateLastUpdateAttribute #397

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
The current implementation of PWM (trunk) contains a dependency for 
performReplicaSyncCheck on a succesfull updateLastUpdateAttribute. If you want 
to make use of Replication Checking, the Passwd last update Attribute needs to 
be writable. For at least AD and eDirectory this is a constraint, because those 
Directories already have a read-only attribute (AD: pwdLastSet/ EDIR: 
pwdChangedTime) to handle the Passwd last update timestamp.  With the current 
implementation of updateLastUpdateAttribute and performReplicaSyncCheck it is 
not possible to use those native Directory attributes. It would be nice if the 
aux attribute pwmLastPwdUpdate is only required if there is no native Directory 
attribute to handle the Passwd last update timestamp. With the current build 
the extra attribute is mandatory if you want to do Replication Checking.

My enhancement proposal suggests to implement the performReplicaSyncCheck 
independed of a writable Passwd last update attribute. Besides the current 
passwordLastUpdateAttribute config setting, there could be a second 
passwordReplicationCheckAttribute setting. This could be done like this:

    <setting key="passwordLastUpdateAttribute" level="1">
        <label>Last Password Update Attribute</label>
        <description><![CDATA[This attribute is used to mark the timestamp when the password is updated. If empty, PWM assumes writes are done by the directory itself)).]]></description>
        <regex>^[a-zA-Z][a-zA-Z0-9-]*$</regex>
        <default>
            <value><![CDATA[pwmLastPwdUpdate]]></value>
        </default>
        <default template="AD">
            <value />
        </default>
        <default template="ADDB">
            <value />
        </default>
        <default template="NOVL">
            <value />
        </default>
    </setting>
    <setting key="passwordReplicationCheckAttribute" level="1">
        <label>Password Replication Check Attribute</label>
        <description><![CDATA[The attribute that is used during replication checks when the password is updated. If empty, this feature will be disabled.]]></description>
        <regex>^[a-zA-Z][a-zA-Z0-9-]*$</regex>
        <default>
            <value><![CDATA[pwmLastPwdUpdate]]></value>
        </default>
        <default template="AD">
            <value><![CDATA[pwdLastSet]]></value>
        </default>
        <default template="ADDB">
            <value><![CDATA[pwdLastSet]]></value>
        </default>
        <default template="NOVL">
            <value><![CDATA[pwdChangedTime]]></value>
        </default>
    </setting>

In this way you can choose wether you want to use the native Directory 
implementation or a custom Attribute for the Last Password Update Attribute. 
This requires some minor code changes to support the logic in the description. 
Attached a proposed patch to accomplish this.

Original issue reported on code.google.com by sebastia...@gmail.com on 24 May 2013 at 2:06

Attachments:

GoogleCodeExporter commented 9 years ago 
Fixed a minor typo

Original comment by sebastia...@gmail.com on 24 May 2013 at 2:10

Attachments: