[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] Password Policy draft 9
- To: ldapext@ietf.org
- Subject: Re: [ldapext] Password Policy draft 9
- From: Howard Chu <hyc@highlandsun.com>
- Date: Thu, 01 Sep 2005 13:29:03 -0700
- In-reply-to: <42F209AD0200001C000383DC@lyle.provo.novell.com>
- References: <42F209AD0200001C000383DC@lyle.provo.novell.com>
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050829 SeaMonkey/1.1a
After adopting the schema changes in draft 9 we ran into a new issue;
the pwdAccountLockedTime operational attribute is now marked
NO-USER-MODIFICATION. Should this attribute be automatically removed
when a password change is successfully performed? (I.e., give it the
same treatment as pwdFailureTime and pwdGraceUseTime which are removed
upon successful password change.) Otherwise it's not clear that a
password administrator can re-enable an account using the currently
defined protocol operations, and requiring a manipulation outside the
protocol seems wrong. I have the same concern with pwdPolicySubentry,
which seems to me to require manual setting. (For all the other
non-modifiable attributes, they have clearly defined automated
behaviors, so there's no issue there.)
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext