[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments
- From: hyc@symas.com
- Date: Thu, 30 Jun 2011 10:11:36 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Andrew Findlay wrote:
> On Thu, Jun 09, 2011 at 01:45:17AM -0700, Howard Chu wrote:
>
>> I note that in ppolicy.c we have:
>>
>> { "( 1.3.6.1.4.1.42.2.27.8.1.17 "
>> "NAME ( 'pwdAccountLockedTime' ) "
>> "DESC 'The time an user account was locked' "
>> "EQUALITY generalizedTimeMatch "
>> "ORDERING generalizedTimeOrderingMatch "
>> "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
>> "SINGLE-VALUE "
>> #if 0
>> /* Not until Relax control is released */
>> "NO-USER-MODIFICATION "
>> #endif
>> "USAGE directoryOperation )",
>>
>> We have in fact released support for the Relax control, so it's
>> probably time to unifdef these bits and go back to the documented
>> behavior.
>
> That seems reasonable in the long term, though it will break many sites'
> existing password management procedures. The change will have to be
> mentioned in the updated manpage, noting the version at which it takes
> effect.
>
> Should I produce an updated version of the manpage patch?
Well since you raise the question, what do you think is the more sensible
approach to all of this? I was the one who argued in ldapext that these
attributes should be no-user-modification but perhaps that makes them too
inconvenient to administer.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/