[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] password policy: multiple subentries, multiple password attributes, ....
On Jul 5, 2010, at 3:03 PM, Howard Chu wrote:
> Kurt Zeilenga wrote:
>> The spec specifically allows for an user entry to be controlled by
>> multiple
> policies (each for a different password attribute) but then defines
> pwdPolicySubentry to be single-valued.
>
>> It seems to me that the text as a whole doesn't really well consider the
> implications of multiple applicable password policies.
>
> I'm pretty sure the intention has always been for only a single policy to apply to any given entry. Note that it already explicitly requires only a single password value to be present in any entry.
The introduction of 5.3.1 attribute type options was discussed back in Nov/Dec 2002. It seems clear to me that the intent was to support separate directory application (userPassword) passwords from directory-enabled service applications (webPassword, emailPassword, etc.).
http://www.openldap.org/lists/ietf-ldapext/200211/msg00026.html
Personally, I'd prefer to restrict the design of this specification to one password per user (no matter how it is stored). I wouldn't mind seeing password storage policy separated from password use policy.
-- Kurt
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext