[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments
- From: hyc@symas.com
- Date: Thu, 9 Jun 2011 08:46:04 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Andrew Findlay wrote:
> On Tue, Feb 15, 2011 at 05:02:52AM -0800, Howard Chu wrote:
>
>>> slapo-ppolicy.5 incorrectly includes the NO-USER-MODIFICATION flag in the schema
>>> fragments for pwdPolicySubentry and pwdAccountLockedTime.
>>
>> That's how they were defined in the IETF Draft. The schema fragments
>> in the manpage were copied directly from the spec. The fact that the
>> current implementation deviates from the spec is just out of
>> necessity to make things work at all in our present code base.
>
> Certainly the use of pwdPolicySubentry differs from the
> intention of the draft (which I believe was intending to use
> real X.500-style subentries).
>
> The case of pwdAccountLockedTime is arguable.
> draft-behera-ldap-password-policy-xx.txt says:
>
> This attribute holds the time that the user's account was locked. A
> locked account means that the password may no longer be used to
> authenticate. A 000001010000Z value means that the account has been
> locked permanently, and that only a password administrator can unlock
> the account.
>
> Unfortunately it says nothing about *how* a password
> administrator should do that when the attribute is marked
> NO-USER-MODIFICATION. I would argue that this is a
> deficiency in the draft, and that the current OpenLDAP
> behaviour is more useful.
>
>> Things will not always work this way...
>
> Indeed, but I would prefer the manpages to reflect the
> reality of the current release!
I note that in ppolicy.c we have:
{ "( 1.3.6.1.4.1.42.2.27.8.1.17 "
"NAME ( 'pwdAccountLockedTime' ) "
"DESC 'The time an user account was locked' "
"EQUALITY generalizedTimeMatch "
"ORDERING generalizedTimeOrderingMatch "
"SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
"SINGLE-VALUE "
#if 0
/* Not until Relax control is released */
"NO-USER-MODIFICATION "
#endif
"USAGE directoryOperation )",
We have in fact released support for the Relax control, so it's probably time
to unifdef these bits and go back to the documented behavior.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/