[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments
hyc@symas.com wrote:
> Andrew Findlay wrote:
>> On Thu, Jun 09, 2011 at 01:45:17AM -0700, Howard Chu wrote:
>>
>>> I note that in ppolicy.c we have:
>>>
>>> { "( 1.3.6.1.4.1.42.2.27.8.1.17 "
>>> "NAME ( 'pwdAccountLockedTime' ) "
>>> "DESC 'The time an user account was locked' "
>>> "EQUALITY generalizedTimeMatch "
>>> "ORDERING generalizedTimeOrderingMatch "
>>> "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
>>> "SINGLE-VALUE "
>>> #if 0
>>> /* Not until Relax control is released */
>>> "NO-USER-MODIFICATION "
>>> #endif
>>> "USAGE directoryOperation )",
>>>
>>> We have in fact released support for the Relax control, so it's
>>> probably time to unifdef these bits and go back to the documented
>>> behavior.
>>
>> That seems reasonable in the long term, though it will break many sites'
>> existing password management procedures. The change will have to be
>> mentioned in the updated manpage, noting the version at which it takes
>> effect.
>>
>> Should I produce an updated version of the manpage patch?
>
> Well since you raise the question, what do you think is the more sensible
> approach to all of this? I was the one who argued in ldapext that these
> attributes should be no-user-modification but perhaps that makes them too
> inconvenient to administer.
Given the fact that the Relax Rules control still has .666 OID it cannot be
used (see my related messages to openldap-devel and ietf-ldapext). At least
what's always being said about .666 OIDs...
Ciao, Michael.