[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Password Policy draft 9

To: ldapext@ietf.org
Subject: Re: [ldapext] Password Policy draft 9
From: Howard Chu <hyc@highlandsun.com>
Date: Thu, 01 Sep 2005 13:29:03 -0700
In-reply-to: <42F209AD0200001C000383DC@lyle.provo.novell.com>
References: <42F209AD0200001C000383DC@lyle.provo.novell.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050829 SeaMonkey/1.1a

After adopting the schema changes in draft 9 we ran into a new issue; the pwdAccountLockedTime operational attribute is now marked NO-USER-MODIFICATION. Should this attribute be automatically removed when a password change is successfully performed? (I.e., give it the same treatment as pwdFailureTime and pwdGraceUseTime which are removed upon successful password change.) Otherwise it's not clear that a password administrator can re-enable an account using the currently defined protocol operations, and requiring a manipulation outside the protocol seems wrong. I have the same concern with pwdPolicySubentry, which seems to me to require manual setting. (For all the other non-modifiable attributes, they have clearly defined automated behaviors, so there's no issue there.)

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Password Policy draft 9
  - From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>

Next by Date: Re: [ldapext] Password Policy draft 9
Index(es):
- Chronological
- Thread