[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
[ldapext] Password policy: pwdAllowUserChange
While the 5.2.15 says:
This attribute indicates whether users can change their own
passwords, although the change operation is still subject to access
control.
It also says:
This attribute is intended to be used in the absence of an
access control mechanism.
I think the intent that it be conjunction with other access controls.
And in 8.2.3, I think the text:
If the bound identity is a user changing its
own password, this MAY be done by checking the pwdAllowUserChange
attribute or using an access control mechanism. The determination of
this is implementation specific.
should read:
In addition to other access controls which the operation would normally be subjected to, the
operation is subject to a pwdAllowUserChange check. If the bound identity is a user changing
its own password, the server MUST deny the change when pwdAllowUserChange is present and set
to FALSE in the governing policy.
Also, in the subsequent sentence, change "user is not allowed to" to "user is not authorized to" as "not allowed" can be read to include more than just "not authorized".
-- Kurt
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext