Re: [ldapext] password policy: multiple subentries, multiple password attributes, ....

[Kurt Zeilenga <Kurt.Zeilenga@Isode.com>]

On Jul 5, 2010, at 3:03 PM, Howard Chu wrote:

> Kurt Zeilenga wrote:
>> The spec specifically allows for an user entry to be controlled by
>> multiple
> policies (each for a different password attribute) but then defines
> pwdPolicySubentry to be single-valued.
> 
>> It seems to me that the text as a whole doesn't really well consider the
> implications of multiple applicable password policies.
> 
> I'm pretty sure the intention has always been for only a single policy to apply to any given entry.

Then why the 5.3.1?

> Note that it already explicitly requires only a single password value to be present in any entry.

Single value per password attribute, actually.

> When you see that the spec allows for a different password attribute to be used, I take this to mean that within an entire directory, multiple password attributes may be used. But for any given entry, it must have only one password value, regardless of which attribute carries it.

Again, then why 5.3.1?

-- Kurt


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext