[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Attribute pwdPolicySubentry
Am Sat, 19 Dec 2015 18:29:32 +0000
schrieb Howard Chu <hyc@symas.com>:
> Emmanuel Lecharny wrote:
> > That makes sense. An even smarter system would use the
> > administrative model to handle password policies.
>
> Yes.
> >
> > Le samedi 19 décembre 2015, <ludovic.poitou@gmail.com
> > <mailto:ludovic.poitou@gmail.com>> a écrit :
> >
> > In my opinion, the pwdPolicySubentry attribute should be
> > read-only generated by the server.
>
> Agreed. That's how it always should have worked, but since we didn't
> have a real subEntry implementation, this is what we got.
> >
> > We had made the error in Sun Directory Server to allow
> > customers to set it manually, and it was very confusing that the
> > attribute served 2 roles : a way to find the pwd policy entry
> > applicable for the entry, and a way to set a different or new
> > policy for an account.
> >
> > In OpenDJ ( and all other servers from the same code base) we
> > use 2 different attributes. That separation made it easier to
> > handle for applications and administrators.
>
> Makes sense.
> >
> > My 2 cents
This thread should be moved to ldapext@ietf.org
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E