[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments
From: hyc@symas.com
Date: Thu, 9 Jun 2011 08:46:04 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Andrew Findlay wrote:
> On Tue, Feb 15, 2011 at 05:02:52AM -0800, Howard Chu wrote:
>
>>> slapo-ppolicy.5 incorrectly includes the NO-USER-MODIFICATION flag in the schema
>>> fragments for pwdPolicySubentry and pwdAccountLockedTime.
>>
>> That's how they were defined in the IETF Draft. The schema fragments
>> in the manpage were copied directly from the spec. The fact that the
>> current implementation deviates from the spec is just out of
>> necessity to make things work at all in our present code base.
>
> Certainly the use of pwdPolicySubentry differs from the
> intention of the draft (which I believe was intending to use
> real X.500-style subentries).
>
> The case of pwdAccountLockedTime is arguable.
> draft-behera-ldap-password-policy-xx.txt says:
>
>     This attribute holds the time that the user's account was locked.  A
>     locked account means that the password may no longer be used to
>     authenticate.  A 000001010000Z value means that the account has been
>     locked permanently, and that only a password administrator can unlock
>     the account.
>
> Unfortunately it says nothing about *how* a password
> administrator should do that when the attribute is marked
> NO-USER-MODIFICATION. I would argue that this is a
> deficiency in the draft, and that the current OpenLDAP
> behaviour is more useful.
>
>> Things will not always work this way...
>
> Indeed, but I would prefer the manpages to reflect the
> reality of the current release!

I note that in ppolicy.c we have:

     {   "( 1.3.6.1.4.1.42.2.27.8.1.17 "
         "NAME ( 'pwdAccountLockedTime' ) "
         "DESC 'The time an user account was locked' "
         "EQUALITY generalizedTimeMatch "
         "ORDERING generalizedTimeOrderingMatch "
         "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
         "SINGLE-VALUE "
#if 0
         /* Not until Relax control is released */
         "NO-USER-MODIFICATION "
#endif
         "USAGE directoryOperation )",

We have in fact released support for the Relax control, so it's probably time 
to unifdef these bits and go back to the documented behavior.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: [PATCH] More for ITS#6872
Next by Date: (ITS#6965) Ldap ld210_en for Mdaemon ver 11.0.1-urgent
Index(es):
- Chronological
- Thread