[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Attribute pwdPolicySubentry

To: elecharny@apache.org, "ludovic.poitou@gmail.com" <ludovic.poitou@gmail.com>
Subject: Re: Attribute pwdPolicySubentry
From: Howard Chu <hyc@symas.com>
Date: Sat, 19 Dec 2015 18:29:32 +0000
Cc: michael ströder <michael@stroeder.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
In-reply-to: <CAG8=FRiHQbBxVWDG6sxuhn9RzRDu3mWinsFZtJE1iWdZv3tsYg@mail.gmail.com>
References: <56754335.40808@stroeder.com> <CAFYMcyOz7kirkki15GuMs9Dx+th_5oQRgStHEQQVF+WO2+_aig@mail.gmail.com> <CAG8=FRiHQbBxVWDG6sxuhn9RzRDu3mWinsFZtJE1iWdZv3tsYg@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 SeaMonkey/2.42a1

Emmanuel Lecharny wrote:

That makes sense. An even smarter system would use the administrative model to
handle password policies.


Yes.


Le samedi 19 décembre 2015, <ludovic.poitou@gmail.com
<mailto:ludovic.poitou@gmail.com>> a écrit :

    In my opinion, the pwdPolicySubentry attribute should be read-only
    generated by the server.

Agreed. That's how it always should have worked, but since we didn't have areal subEntry implementation, this is what we got.


    We had made the error in Sun Directory Server to allow customers to set it
    manually, and it was very confusing that the attribute served 2 roles : a
    way to find the pwd policy entry applicable for the entry, and a way to
    set a different or new policy for an account.

    In OpenDJ ( and all other servers from the same code base) we use 2
    different attributes. That separation made it easier to handle for
    applications and administrators.


Makes sense.


    My 2 cents

    Ludo



--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com <http://www.iktek.com>



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Attribute pwdPolicySubentry
  - From: Dieter Klünter <dieter@dkluenter.de>

References:
- Re: Attribute pwdPolicySubentry
  - From: Michael Ströder <michael@stroeder.com>
- Re: Attribute pwdPolicySubentry
  - From: ludovic.poitou@gmail.com
- Re: Attribute pwdPolicySubentry
  - From: Emmanuel Lecharny <elecharny@apache.org>

Prev by Date: Re: Attribute pwdPolicySubentry
Next by Date: Re: Attribute pwdPolicySubentry
Index(es):
- Chronological
- Thread