Re: [ldapext] password policy: exclude (or exempt) user from policy

[Michael Ströder <michael@stroeder.com>]

Kurt Zeilenga wrote:
> 
> On Jul 5, 2010, at 1:31 PM, Howard Chu wrote:
> 
>> Kurt Zeilenga wrote:
>>> It is desirable to have a mechanism to exclude (or exempt) a user from the
>>> policy.  For instance, it's nasty for various accounts associated with
>>> application entities (as opposed to humans) to be locked out.
>>>
>>> In the Isode implementation, we have an operational single-valued
>>> attribute, pwdExclude, which if present in the user's entry and has the
>>> boolean value TRUE exempts the user from all password policy enforcement.
>>>
>>> It would be good to add something like this to the spec.
>>
>> That sounds backward to me.
> 
> It's modeled after collective attribute exclusions.
> 
>> You should just define a specific policy for those accounts, and turn off
>> everything you don't want enforced in that policy.
> 
> That can be pain depending on how one organizes their account objects.

Why do you think that the pointer to a separate policy cannot be a collective
attribute? Maybe I got you wrong though.

Ciao, Michael.
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext