[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Attribute pwdPolicySubentry

Emmanuel Lécharny wrote:
> Le 19/12/15 12:44, Michael Ströder a écrit :
>> Howard Chu wrote:
>>> Michael Ströder wrote:
>>>> Borresen, John - 0444 - MITLL wrote:
>>>>> Interesting!  I was able to add it via command-line with ldapadd.  But, when
>>>>> viewing it in Apache Directory Studio, it still didn't show up -- that is
>>>>> until I enabled Operational Attributes.
>>>> Attribute 'pwdPolicySubentry' is somewhat special because it's not referenced by
>>>> any object class. You can simply add it to any entry.
>>> It is an operational attribute, so by definition, it can be added to any entry.
>> But 'pwdPolicySubentry' is the only attribute typically set by a LDAP client in
>> opposite to all other operational attributes like 'createTimestamp' etc.
>> So it's special for schema-aware LDAP GUI clients.
> That's irrelevant.
> It's an operational attribute that can be set by the users, which is
> perfectly legit. There is nothing 'special' about it.

As said: It's not special in regard to RFC 4512. But it's not that easy to
implement a generic UI which guides the user to always do the right thing.  And
obviously there are some generic LDAP UIs out there which prevents the user from
setting this attribute by false client-side schema check.

> Re-read RFC 4512 section 3.4.

Nothing in there describes how a client could find out which operational
attribute(s) to always present in an input form.

One could display input fields for all operational attrs which does not have
NO-USER-MODIFICATION set.  But not all servers use that consequently enough.
(Not to speak of "experimental" schema used for years being hidden by errornous
.666 OID policy making schema look incomplete at the client side.)

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature