[ldapext] Password Policy Administrative Model

["Andrew Sciberras" <andrew.sciberras@eb2bcom.com>]

Hi Kurt,

Just some comments that are specific to the administrative model. 


>3.  Password Policy Administrative Model

Administrative Area Scope  
In [BEHERA] it was stated that a password policy could be defined for a
specific user by creating a password policy subentry directly under that
entry. To me, this suggests that password policy administrative points act
like specific administrative areas. 
Is this behavior intended to remain?


Administrative Role
In accordance with X.501 and RFC3672, do you intend to define an
Administrative Role attribute value to identify that a particular
administrative area is concerned with password policy administration?


Multiple Policies  
I assume that the draft allows multiple passwdPolicy subentries to exist
below a given administrative point... This should be explicitly clarified in
the I-D. 
Multiple subentries could be used to allow policies to apply to different
attributes, or to allow different policies to apply to a given password
attribute conditionally, based on the objectClass of an entry (~ using
subtreeSpecification's). 
However, policies may also be created that inadvertently (or otherwise)
conflict with each other. 
Clarifications on this should probably be made to avoid confusion. 


Regards,
Andrew Sciberras
eB2Bcom 


> -----Original Message-----
> From: ldapext-bounces@ietf.org [mailto:ldapext-bounces@ietf.org] On Behalf
> Of Kurt Zeilenga
> Sent: Tuesday, 1 April 2008 4:56 AM
> To: LDAP Extensions list
> Cc: x500standard@freelists.org
> Subject: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
> 
> This I-D provides an alternative to draft-behera-ldap-password-policy-
> xx.txt.  Appendix provides a discussion of this approach differs, and
> why.
> 
> The I-D is a bit rough around the edges...
> 
> -- Kurt

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext