[Date Prev][Date Next] [Chronological] [Thread] [Top]

[ldapext] Password policy: pwdAllowUserChange

To: ldapext <ldapext@ietf.org>
Subject: [ldapext] Password policy: pwdAllowUserChange
From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Date: Tue, 6 Jul 2010 10:49:58 -0700
Delivered-to: ldapext@core3.amsl.com

While the 5.2.15 says:
   This attribute indicates whether users can change their own
   passwords, although the change operation is still subject to access
   control.

It also says:
   This attribute is intended to be used in the absence of an
   access control mechanism.

I think the intent that it be conjunction with other access controls.

And in 8.2.3,  I think the text:

   If the bound identity is a user changing its
   own password, this MAY be done by checking the pwdAllowUserChange
   attribute or using an access control mechanism.  The determination of
   this is implementation specific.

should read:
   In addition to other access controls which the operation would normally be subjected to, the
   operation is subject to a pwdAllowUserChange check.  If the bound identity is a user changing
   its own password, the server MUST deny the change when pwdAllowUserChange is present and set
   to FALSE in the governing policy.

Also, in the subsequent sentence, change "user is not allowed to" to "user is not authorized to" as "not allowed" can be read to include more than just "not authorized".

-- Kurt
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

Prev by Date: [ldapext] password policy: pwdLockout is redundant
Next by Date: Re: [ldapext] password policy: multiple subentries, multiple password attributes, ....
Index(es):
- Chronological
- Thread