[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments

Andrew Findlay wrote:
> On Tue, Feb 15, 2011 at 05:02:52AM -0800, Howard Chu wrote:
>>> slapo-ppolicy.5 incorrectly includes the NO-USER-MODIFICATION flag in the schema
>>> fragments for pwdPolicySubentry and pwdAccountLockedTime.
>> That's how they were defined in the IETF Draft. The schema fragments
>> in the manpage were copied directly from the spec. The fact that the
>> current implementation deviates from the spec is just out of
>> necessity to make things work at all in our present code base.
> Certainly the use of pwdPolicySubentry differs from the
> intention of the draft (which I believe was intending to use
> real X.500-style subentries).
> The case of pwdAccountLockedTime is arguable.
> draft-behera-ldap-password-policy-xx.txt says:
>     This attribute holds the time that the user's account was locked.  A
>     locked account means that the password may no longer be used to
>     authenticate.  A 000001010000Z value means that the account has been
>     locked permanently, and that only a password administrator can unlock
>     the account.
> Unfortunately it says nothing about *how* a password
> administrator should do that when the attribute is marked
> NO-USER-MODIFICATION. I would argue that this is a
> deficiency in the draft, and that the current OpenLDAP
> behaviour is more useful.
>> Things will not always work this way...
> Indeed, but I would prefer the manpages to reflect the
> reality of the current release!

I note that in ppolicy.c we have:

     {   "( "
         "NAME ( 'pwdAccountLockedTime' ) "
         "DESC 'The time an user account was locked' "
         "EQUALITY generalizedTimeMatch "
         "ORDERING generalizedTimeOrderingMatch "
         "SYNTAX "
         "SINGLE-VALUE "
#if 0
         /* Not until Relax control is released */
         "USAGE directoryOperation )",

We have in fact released support for the Relax control, so it's probably time 
to unifdef these bits and go back to the documented behavior.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/