[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Attribute pwdPolicySubentry

To: "ludovic.poitou@gmail.com" <ludovic.poitou@gmail.com>
Subject: Re: Attribute pwdPolicySubentry
From: Emmanuel Lecharny <elecharny@apache.org>
Date: Sat, 19 Dec 2015 16:05:43 +0100
Cc: howard chu <hyc@symas.com>, michael ströder <michael@stroeder.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <CAFYMcyOz7kirkki15GuMs9Dx+th_5oQRgStHEQQVF+WO2+_aig@mail.gmail.com>
References: <56754335.40808@stroeder.com> <CAFYMcyOz7kirkki15GuMs9Dx+th_5oQRgStHEQQVF+WO2+_aig@mail.gmail.com>

That makes sense. An even smarter system would use the administrative model to handle password policies.

Le samedi 19 décembre 2015, <ludovic.poitou@gmail.com> a écrit :

In my opinion, the pwdPolicySubentry attribute should be read-only generated by the server.

We had made the error in Sun Directory Server to allow customers to set it manually, and it was very confusing that the attribute served 2 roles : a way to find the pwd policy entry applicable for the entry, and a way to set a different or new policy for an account.

In OpenDJ ( and all other servers from the same code base) we use 2 different attributes. That separation made it easier to handle for applications and administrators.

My 2 cents

Ludo

--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Follow-Ups:
- Re: Attribute pwdPolicySubentry
  - From: Howard Chu <hyc@symas.com>

References:
- Re: Attribute pwdPolicySubentry
  - From: Michael Ströder <michael@stroeder.com>
- Re: Attribute pwdPolicySubentry
  - From: ludovic.poitou@gmail.com

Prev by Date: Re: Attribute pwdPolicySubentry
Next by Date: Re: Attribute pwdPolicySubentry
Index(es):
- Chronological
- Thread