[Date Prev][Date Next]
Re: (ITS#6084) ppolicy should allow scheduled password expiration
Howard Chu a écrit :
> Guillaume Rousse wrote:
>> Howard Chu a écrit :
>>> Since the ppolicy module's behavior is dictated by the Behera draft, any
>>> suggestions for changes in this area should probably first be raised on
>>> the ietf-ldapext mailing list.
>> Right, but openldap implementation already have extension, such
>> pwdCheckModule. Additional extension could be implemented, before
>> getting standardized.
>> Also, the ietf-ldapext seems to be an highly-technical list, and I don't
>> feel confortable enough to post this kind of request directly there.
>> Discussing various limitations of ppolicy among openldap users first
>> would probably allow openldap core team to suggest a more polished
>> extension request themselves.
> The draft doesn't say anything about setting pwdAccountLockedTime to a
> value in the future; since it doesn't preclude it I've fixed up the code
> to handle this case. However, it's not a good solution for your purpose,
> since the pwdAccountLockedTime value is automatically replaced with the
> current time if too many Bind failures occur, and it's automatically
> deleted when a password is changed. We'll leave this in HEAD on an
> experimental basis for now, until a real solution is spec'd out.
Indeed. Moreover, a variable date field is not a practical field for
sorting out valid accounts in search requests, for authorization purposes.
Anyway, thanks for the change.
BOFH excuse #320:
You've been infected by the Telescoping Hubble virus.