[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments

On Tue, Feb 15, 2011 at 05:02:52AM -0800, Howard Chu wrote:

> >slapo-ppolicy.5 incorrectly includes the NO-USER-MODIFICATION flag in the schema
> >fragments for pwdPolicySubentry and pwdAccountLockedTime.
> That's how they were defined in the IETF Draft. The schema fragments
> in the manpage were copied directly from the spec. The fact that the
> current implementation deviates from the spec is just out of
> necessity to make things work at all in our present code base.

Certainly the use of pwdPolicySubentry differs from the
intention of the draft (which I believe was intending to use
real X.500-style subentries).

The case of pwdAccountLockedTime is arguable.
draft-behera-ldap-password-policy-xx.txt says:

   This attribute holds the time that the user's account was locked.  A
   locked account means that the password may no longer be used to
   authenticate.  A 000001010000Z value means that the account has been
   locked permanently, and that only a password administrator can unlock
   the account.

Unfortunately it says nothing about *how* a password
administrator should do that when the attribute is marked
NO-USER-MODIFICATION. I would argue that this is a
deficiency in the draft, and that the current OpenLDAP
behaviour is more useful.

> Things will not always work this way...

Indeed, but I would prefer the manpages to reflect the
reality of the current release!

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |