[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: [ldapext] password policy: pwdAllowUserChange
- To: <ldapext@ietf.org>
- Subject: RE: [ldapext] password policy: pwdAllowUserChange
- From: "Jim Sermersheim" <jimse@novell.com>
- Date: Thu, 13 May 2004 23:36:04 -0600
- Content-disposition: inline
Yeah, I guess I could see a point in leaving it for the reason you point
out, but for the same reason, I could see adding another attribute which
grants rights to some 'pwdAdministrator" to change other people's
passwords (and maybe even various password policy attributes). In fact,
to align more closely with some existing implementations, the
pwdSafeModify would allow this pwdAdministrator to make modifications
without providing the old password. Section 2.1 currently lets us sleaze
out of this rathole.
I hope I'm not getting myself into more trouble.
Jim
>>> andrews@adacel.com.au 5/13/04 10:56:04 PM >>>
Hi Jim,
I tend to agree with your here. I think that this an Access Control
issue
and therefore should not be part of the policy.
I do not have any issues with its removal. Our directory can
adequately
control access to attributes and their values using our local access
control
and X.500 Basic Access Control implementations.
Removing the pwdAllowUserChange attribute may become a problem for
Directory
implementations whose access control scheme cannot provide this
functionality. If this attribute stay's within the draft then I think
that
text should be added to clearly indicate that the pwdAllowUserChange
attribute is intended to be used in absence of any access controls.
Cheers,
..........................
Andrew Sciberras
http://view500.adacel.com
>-----Original Message-----
>From: ldapext-admin@ietf.org [mailto:ldapext-admin@ietf.org]On
>Behalf Of
>Jim Sermersheim
>Sent: Friday, 14 May 2004 13:43
>To: ldapext@ietf.org
>Subject: [ldapext] password policy: pwdAllowUserChange
>
>
><in reference to draft-behera-ldap-password-policy-xx>
>
>I'm not sure why we need this attribute. It's there to grant a user
the
>rights to change his own attribute. Are there implementations that
need
>this? It seems that local access control mechanisms should suffice.
>
>I'd like to remove it unless there's a compelling reason to leave it.
>
>Jim
>
>_______________________________________________
>Ldapext mailing list
>Ldapext@ietf.org
>https://www1.ietf.org/mailman/listinfo/ldapext
>
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext