[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
[ldapext] Password Policy - locking accounts
Is the notion of an administrator locking/unlocking (i.e. enable/disable
for authentication) an entry within the scope of the password policy draft?
This seems like a logical addition and a reasonable candidate for something
to be done in a standard way.
If folks agree, I suggest adding an extended operation to lock or unlock a
given entry.
On a related note, it is common to be able to set "password must be reset"
on a per user basis -- for example setting the password for an entry to be
used by an application. This could be done by modifying the pwdReset
attribute, in which I think it would be appropriate for password policy to
specify that servers may allow this attribute to be modified. Or another
extended operation; I don't have any good guidelines for when I think an
extended operation is more appropriate than modifying what has so far been
presented as a "status" attribute -- though I didn't see any
"NO-USER-MODIFICATION" atttached to any of these attributes.
John McMeeking
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext