[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Attribute pwdPolicySubentry

Emmanuel Lecharny wrote:
That makes sense. An even smarter system would use the administrative model to
handle password policies.


Le samedi 19 décembre 2015, <ludovic.poitou@gmail.com
<mailto:ludovic.poitou@gmail.com>> a écrit :

    In my opinion, the pwdPolicySubentry attribute should be read-only
    generated by the server.

Agreed. That's how it always should have worked, but since we didn't have a real subEntry implementation, this is what we got.

    We had made the error in Sun Directory Server to allow customers to set it
    manually, and it was very confusing that the attribute served 2 roles : a
    way to find the pwd policy entry applicable for the entry, and a way to
    set a different or new policy for an account.

    In OpenDJ ( and all other servers from the same code base) we use 2
    different attributes. That separation made it easier to handle for
    applications and administrators.

Makes sense.

    My 2 cents


Emmanuel Lécharny
www.iktek.com <http://www.iktek.com>

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/