Re: [ldapext] Password Policy Administrative Model

[Kurt Zeilenga <Kurt.Zeilenga@Isode.com>]

On Mar 31, 2008, at 10:16 PM, Andrew Sciberras wrote:
> Hi Kurt,
>
> Just some comments that are specific to the administrative model.
>
>
>> 3.  Password Policy Administrative Model
>
> Administrative Area Scope
> In [BEHERA] it was stated that a password policy could be defined  
> for a
> specific user by creating a password policy subentry directly under  
> that
> entry. To me, this suggests that password policy administrative  
> points act
> like specific administrative areas.
> Is this behavior intended to remain?

Yes.

> Administrative Role
> In accordance with X.501 and RFC3672, do you intend to define an
> Administrative Role attribute value to identify that a particular
> administrative area is concerned with password policy administration?

Yes.

> Multiple Policies
> I assume that the draft allows multiple passwdPolicy subentries to  
> exist
> below a given administrative point... This should be explicitly  
> clarified in
> the I-D.
> Multiple subentries could be used to allow policies to apply to  
> different
> attributes, or to allow different policies to apply to a given  
> password
> attribute conditionally, based on the objectClass of an entry (~ using
> subtreeSpecification's).
> However, policies may also be created that inadvertently (or  
> otherwise)
> conflict with each other.
> Clarifications on this should probably be made to avoid confusion.

My intent is for each entry to be governed by at most one password  
policy,
the policy governing entries within a specific administrative area.

-- Kurt

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext