Re: [ldapext] password policy: exclude (or exempt) user from policy

[Howard Chu <hyc@highlandsun.com>]

Ludovic Poitou wrote:
> Kurt,
>
> I don't really like using exception mechanism like this which are
> difficult
to track for an administrator and may be abused by users if not protected
appropriately.

Agreed.

> In OpenDS we have some extended subtree specifications that allow to
> filter
in or out users from the password policy definition itself.
> I'm gonna be out for the next 3 weeks but will comment your emails related
to the password policy when I'm back. I didn't get the time to do it before today.

> Regards
>
> Ludovic Poitou
> Sent from a mobile.
>
> On 5 juil. 2010, at 22:14, Kurt Zeilenga<Kurt.Zeilenga@Isode.com>  wrote:
>
> > It is desirable to have a mechanism to exclude (or exempt) a user from the policy.  For instance, it's nasty for various accounts associated with application entities (as opposed to humans) to be locked out.
> >
> > In the Isode implementation, we have an operational single-valued attribute, pwdExclude, which if present in the user's entry and has the boolean value TRUE exempts the user from all password policy enforcement.
> >
> > It would be good to add something like this to the spec.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext