[Date Prev][Date Next] [Chronological] [Thread] [Top]

[ldapext] password policy administrative operations

To: ldapext@ietf.org
Subject: [ldapext] password policy administrative operations
From: John McMeeking <jmcmeek@us.ibm.com>
Date: Fri, 16 Jan 2004 11:16:48 -0600




There are some administrative operations that are not addressed by the
password policy draft.

- Can an account be unlocked after being locked due to failed requests?  If
so, is this done by having the administrator reset the password?  Or should
there be another way to unlock the account without changing the password?
Perhaps an extended request?  Modify requrest to delete the
pwdaccountlockedtime attribute?

- Is there a way to prevent passwords from expiring on specific accounts?
One obvious way is to place these accounts where the password policy
doesn't apply, but I think a more appropriate approach would be a property
of the account -- some combination of operational attributes
(pwdneverexpires=TRUE?) and / or extended operations (some sort of "set pwd
attributes" extended operation?).

There's probably others, but these are items I have encountered as folks
look at implementing pwd policy in their organizations.


John  McMeeking


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] password policy administrative operations
  - From: Ludovic Poitou <ludovic.poitou@Sun.COM>

Prev by Date: ietf.org mailing list memberships reminder
Next by Date: Re: [ldapext] password policy administrative operations
Index(es):
- Chronological
- Thread