RE: [ldapext] password policy: pwdAllowUserChange

["Andrew Sciberras" <andrews@adacel.com.au>]

Hi Jim,

I tend to agree with your here. I think that this an Access Control issue
and therefore should not be part of the policy.

I do not have any issues with its removal. Our directory can adequately
control access to attributes and their values using our local access control
and X.500 Basic Access Control implementations.

Removing the pwdAllowUserChange attribute may become a problem for Directory
implementations whose access control scheme cannot provide this
functionality. If this attribute stay's within the draft then I think that
text should be added to clearly indicate that the pwdAllowUserChange
attribute is intended to be used in absence of any access controls.


Cheers,
..........................
Andrew Sciberras
http://view500.adacel.com


>-----Original Message-----
>From: ldapext-admin@ietf.org [mailto:ldapext-admin@ietf.org]On
>Behalf Of
>Jim Sermersheim
>Sent: Friday, 14 May 2004 13:43
>To: ldapext@ietf.org
>Subject: [ldapext] password policy: pwdAllowUserChange
>
>
><in reference to draft-behera-ldap-password-policy-xx>
>
>I'm not sure why we need this attribute. It's there to grant a user the
>rights to change his own attribute. Are there implementations that need
>this? It seems that local access control mechanisms should suffice.
>
>I'd like to remove it unless there's a compelling reason to leave it.
>
>Jim
>
>_______________________________________________
>Ldapext mailing list
>Ldapext@ietf.org
>https://www1.ietf.org/mailman/listinfo/ldapext
>


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext