Re: [ldapext] Password Policy operational attributes

[Neil Dunbar <neil.dunbar@hp.com>]

On Mon, 2004-11-22 at 08:16 -0600, John McMeeking wrote:
> 
> 
> 
> I only see two operational attributes that arguably should be modifiable:
> pwdReset and pwdAccountLockedTime.  And pwdAccountLockedTime might be
> modifiable only certain conditions:

Agreed.

> I don't see a reason why pwdChangedTime, pwdFailureTime, pwdHistory or
> pwdGraceUseTime (and definitely not pwdPolicySubentry) should be user (or
> administrator) modifiable under any conditions.

Recognising that I'm now into abstruse corner cases here - but the only
one I could see is that, given some out of band alternative
credentialling process, the password could be artificially limited
("clipped") to the lifetime of the alternative credential.

For example - if the user could apply for a certificate, and the system
architect prefers that all credentials expire together, he might want
the pwdChangedTime modified such that expiry of password will take place
at the same time of expiry of certificate. In other words - "give the
user a password lasting for 6 months or the lifetime of his current
certificate, whichever is shorter".

The desirability of such a scheme is a whole different argument...

As I said - real corner case stuff, but it seems to me that fiddling
with the record is sometimes needed, as long as audit trail exists to
demonstrate the alteration. So, I'd tend to allow these attributes to be
modified, even if I can't think of any good reason for them - and leave
the ACI system to restrict modification to the highest levels of
authority.

Cheers,

Neil


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext