John McMeeking wrote:
I don't believe that enabling / disabling an account for authentication is part of the password policy.
Is the notion of an administrator locking/unlocking (i.e. enable/disable for authentication) an entry within the scope of the password policy draft? This seems like a logical addition and a reasonable candidate for something to be done in a standard way.
If folks agree, I suggest adding an extended operation to lock or unlock a given entry.
Our implementation allows administrators to modify the operational attributes. It's easier than extended operation and more coupled with Access Controls.
On a related note, it is common to be able to set "password must be reset"
on a per user basis -- for example setting the password for an entry to be
used by an application. This could be done by modifying the pwdReset
attribute, in which I think it would be appropriate for password policy to
specify that servers may allow this attribute to be modified. Or another
extended operation; I don't have any good guidelines for when I think an
extended operation is more appropriate than modifying what has so far been
presented as a "status" attribute -- though I didn't see any
"NO-USER-MODIFICATION" atttached to any of these attributes.
Ludovic.
John McMeeking
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext
-- Ludovic Poitou Sun Microsystems Inc. Sun ONE products - Directory Server Group - Grenoble - France
_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext