[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Password Policy OIDs

Jim Sermersheim wrote: 
Andrew Sciberras <andrew.sciberras@eB2Bcom.com> 10/27/04
4:15:15 PM >>>
There is a TODO statement in -08 for this (Section 10). 

Sorry, I guess I should open my eyes!


FWIW, this is what finally pushed me into raising the thread on the
list * Do I get another OID from the Netscape folks? Do I add the
first IANA_ASSIGNED oid? I'd rather move to all IANA_ASSIGNED oids at
the same time I assign the administrative role OID.

Here's what we did:
* Defined our own temporary internal OID for the admin role

We also need to dscribe how these administrative areas work. Can they
overlap? 
* No overlapping - i.e Specific Administrative Area
We made this decision based on the comment:
"It SHOULD be possible to overwrite the password policy for one
user by defining a new policy in a subentry of the user entry."

Can they be defined in a way that causes some objects to be
governed by no pwd policy subentry?

* Yes, we can do this through the subtreeSpecification attribute

Can one object be governed by multiple pwd policy subentries?
> If so, must each governing subentry list a unique pwd attribute?
Not sure what your asking here... Is an object and entry or a password attribute?
Many subentries can apply to a single entry. If there are multiple password policy subentries under the one administrative point then I think that they should all be distinctly different. Essentially, no two policies should be able to be applied to the attribute within an entry. This may be hard to manage, so it probably would be easier to simply say that "each governing subentry list a unique pwd attribute".


Jim


Andrew Sciberras.




_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext