[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments
From: michael@stroeder.com
Date: Fri, 1 Jul 2011 17:26:37 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

hyc@symas.com wrote:
> Andrew Findlay wrote:
>> On Thu, Jun 09, 2011 at 01:45:17AM -0700, Howard Chu wrote:
>>
>>> I note that in ppolicy.c we have:
>>>
>>>      {   "( 1.3.6.1.4.1.42.2.27.8.1.17 "
>>>          "NAME ( 'pwdAccountLockedTime' ) "
>>>          "DESC 'The time an user account was locked' "
>>>          "EQUALITY generalizedTimeMatch "
>>>          "ORDERING generalizedTimeOrderingMatch "
>>>          "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
>>>          "SINGLE-VALUE "
>>> #if 0
>>>          /* Not until Relax control is released */
>>>          "NO-USER-MODIFICATION "
>>> #endif
>>>          "USAGE directoryOperation )",
>>>
>>> We have in fact released support for the Relax control, so it's
>>> probably time to unifdef these bits and go back to the documented
>>> behavior.
>>
>> That seems reasonable in the long term, though it will break many sites'
>> existing password management procedures. The change will have to be
>> mentioned in the updated manpage, noting the version at which it takes
>> effect.
>>
>> Should I produce an updated version of the manpage patch?
> 
> Well since you raise the question, what do you think is the more sensible 
> approach to all of this? I was the one who argued in ldapext that these 
> attributes should be no-user-modification but perhaps that makes them too 
> inconvenient to administer.

Given the fact that the Relax Rules control still has .666 OID it cannot be
used (see my related messages to openldap-devel and ietf-ldapext). At least
what's always being said about .666 OIDs...

Ciao, Michael.

Prev by Date: Re: ITS#6873
Next by Date: Re: ITS#6873
Index(es):
- Chronological
- Thread