[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Password Policy OIDs

To: <andrew.sciberras@eB2Bcom.com>
Subject: Re: [ldapext] Password Policy OIDs
From: "Jim Sermersheim" <jimse@novell.com>
Date: Wed, 27 Oct 2004 17:57:14 -0600
Cc: ldapext@ietf.org
Content-disposition: inline

>>> Andrew Sciberras <andrew.sciberras@eB2Bcom.com> 10/27/04 5:34:40 PM
>>>
<snip> 
 
>>We also need to dscribe how these administrative areas work. Can
they
>> overlap? 
>* No overlapping - i.e Specific Administrative Area
>We made this decision based on the comment:
>"It SHOULD be possible to overwrite the password policy for one
>user by defining a new policy in a subentry of the user entry."

Right, but someone may want to define one policy for person objects,
and another policy for widget objects, where persons and widgets fall
under the same hierarchy.
 
<snip>

>> Can one object be governed by multiple pwd policy subentries? 
>> If so, must each governing subentry list a unique pwd attribute?
>Not sure what your asking here... Is an object and entry or a password

>attribute?
>Many subentries can apply to a single entry. If there are multiple 
>password policy subentries under the one administrative point then I 
>think that they should all be distinctly different. Essentially, no
two 
>policies should be able to be applied to the attribute within an
entry. 
>This may be hard to manage, so it probably would be easier to simply
say 
>that "each governing subentry list a unique pwd attribute".

I'm just saying, we need to decide and specify these things. AFAIK,
administrative policy specifications are responsible to make statements
as to whether policies may be combined, and how (...for each specific
aspect of administrative authority, a definition is required of the
method of combination of administrative information when it is possible
for entries to be included in more than one subtree or subtree
refinement...). For example, while we _may_ want to allow multiple
password policy subentries to apply to a single object (each associated
with a different attribute), other administrative areas do not allow
multiple subentries to apply to a single object (like subschema). The
limits and allowances for these kinds of things are supposed to be
called out in the specification, but the pwd policy specification makes
no (or very few, vague) statements along these lines.

Jim

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Prev by Date: OIDs (Was: [ldapext] Password Policy OIDs)
Next by Date: Re: [ldapext] Password Policy OIDs
Index(es):
- Chronological
- Thread