[Date Prev][Date Next] [Chronological] [Thread] [Top]

[ldapext] Password Policy - locking accounts

To: ldapext@ietf.org
Subject: [ldapext] Password Policy - locking accounts
From: John McMeeking <jmcmeek@us.ibm.com>
Date: Thu, 4 Sep 2003 07:38:38 -0500




Is the notion of an administrator locking/unlocking (i.e. enable/disable
for authentication) an entry within the scope of the password policy draft?
This seems like a logical addition and a reasonable candidate for something
to be done in a standard way.

If folks agree, I suggest adding an extended operation to lock or unlock a
given entry.

On a related note, it is common to be able to set "password must be reset"
on a per user basis -- for example setting the password for an entry to be
used by an application.  This could be done by modifying the pwdReset
attribute, in which I think it would be appropriate for password policy to
specify that servers may allow this attribute to be modified.  Or another
extended operation; I don't have any good guidelines for when I think an
extended operation is more appropriate than modifying what has so far been
presented as a "status" attribute -- though I didn't see any
"NO-USER-MODIFICATION" atttached to any of these attributes.

John  McMeeking


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Password Policy - locking accounts
  - From: Ludovic Poitou <ludovic.poitou@Sun.com>
- RE: [ldapext] Password Policy - locking accounts
  - From: "Andrew Sciberras" <andrews@adacel.com.au>

Prev by Date: RE: [ldapext] Returning the Password Policy Control
Next by Date: Re: [ldapext] Password Policy - locking accounts
Index(es):
- Chronological
- Thread