[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments

On Thu, Jun 30, 2011 at 03:11:05AM -0700, Howard Chu wrote:

> Well since you raise the question, what do you think is the more
> sensible approach to all of this? I was the one who argued in
> ldapext that these attributes should be no-user-modification but
> perhaps that makes them too inconvenient to administer.

I think that the best approach would be to make no change in 2.4 code
but to flag in the docs that the behaviour will change for 2.5.

The NO-USER-MODIFICATION flags have been in draft-behera since 2005,
but draft-zeilenga-ldap-relax has only been around since 2007. The latter
document says that rules may not be relaxed unless there is a document
saying that they may be. pwdAccountLockedTime is not mentioned in
draft-zeilenga-ldap-relax and the relax control is not mentioned in
draft-behera-ldap-password-policy, so one of those docs needs updating
to make the behaviour legal.

It would be interesting to survey other LDAP implementations to see how they
currently treat the password-policy attributes. This is already a minefield
due to uncertainties and variations in the replication process.

|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |