'Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-bugs
Subject:    Re: (ITS#6830) slapo-ppolicy.5 has incorrect schema fragments
From:       andrew.findlay () skills-1st ! co ! uk
Date:       2011-02-15 13:41:26
Message-ID: 201102151341.p1FDfQLN080174 () boole ! openldap ! org
[Download RAW message or body]

On Tue, Feb 15, 2011 at 05:02:52AM -0800, Howard Chu wrote:

> >slapo-ppolicy.5 incorrectly includes the NO-USER-MODIFICATION flag in the schema
> >fragments for pwdPolicySubentry and pwdAccountLockedTime.
> 
> That's how they were defined in the IETF Draft. The schema fragments
> in the manpage were copied directly from the spec. The fact that the
> current implementation deviates from the spec is just out of
> necessity to make things work at all in our present code base.

Certainly the use of pwdPolicySubentry differs from the
intention of the draft (which I believe was intending to use
real X.500-style subentries).

The case of pwdAccountLockedTime is arguable.
draft-behera-ldap-password-policy-xx.txt says:

   This attribute holds the time that the user's account was locked.  A
   locked account means that the password may no longer be used to
   authenticate.  A 000001010000Z value means that the account has been
   locked permanently, and that only a password administrator can unlock
   the account.

Unfortunately it says nothing about *how* a password
administrator should do that when the attribute is marked
NO-USER-MODIFICATION. I would argue that this is a
deficiency in the draft, and that the current OpenLDAP
behaviour is more useful.

> Things will not always work this way...

Indeed, but I would prefer the manpages to reflect the
reality of the current release!

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic