[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments
On Tue, Feb 15, 2011 at 05:02:52AM -0800, Howard Chu wrote:
> >slapo-ppolicy.5 incorrectly includes the NO-USER-MODIFICATION flag in the schema
> >fragments for pwdPolicySubentry and pwdAccountLockedTime.
>
> That's how they were defined in the IETF Draft. The schema fragments
> in the manpage were copied directly from the spec. The fact that the
> current implementation deviates from the spec is just out of
> necessity to make things work at all in our present code base.
Certainly the use of pwdPolicySubentry differs from the
intention of the draft (which I believe was intending to use
real X.500-style subentries).
The case of pwdAccountLockedTime is arguable.
draft-behera-ldap-password-policy-xx.txt says:
This attribute holds the time that the user's account was locked. A
locked account means that the password may no longer be used to
authenticate. A 000001010000Z value means that the account has been
locked permanently, and that only a password administrator can unlock
the account.
Unfortunately it says nothing about *how* a password
administrator should do that when the attribute is marked
NO-USER-MODIFICATION. I would argue that this is a
deficiency in the draft, and that the current OpenLDAP
behaviour is more useful.
> Things will not always work this way...
Indeed, but I would prefer the manpages to reflect the
reality of the current release!
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------