[Date Prev][Date Next]
Re: Attribute pwdPolicySubentry
Emmanuel Lecharny wrote:
That makes sense. An even smarter system would use the administrative model to
handle password policies.
Le samedi 19 décembre 2015, <firstname.lastname@example.org
<mailto:email@example.com>> a écrit :
In my opinion, the pwdPolicySubentry attribute should be read-only
generated by the server.
Agreed. That's how it always should have worked, but since we didn't have a
real subEntry implementation, this is what we got.
We had made the error in Sun Directory Server to allow customers to set it
manually, and it was very confusing that the attribute served 2 roles : a
way to find the pwd policy entry applicable for the entry, and a way to
set a different or new policy for an account.
In OpenDJ ( and all other servers from the same code base) we use 2
different attributes. That separation made it easier to handle for
applications and administrators.
My 2 cents
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/