Howard Chu a écrit : > Guillaume Rousse wrote: >> Howard Chu a écrit : >>> Since the ppolicy module's behavior is dictated by the Behera draft, any >>> suggestions for changes in this area should probably first be raised on >>> the ietf-ldapext mailing list. >> Right, but openldap implementation already have extension, such >> pwdCheckModule. Additional extension could be implemented, before >> getting standardized. >> >> Also, the ietf-ldapext seems to be an highly-technical list, and I don't >> feel confortable enough to post this kind of request directly there. >> Discussing various limitations of ppolicy among openldap users first >> would probably allow openldap core team to suggest a more polished >> extension request themselves. > > The draft doesn't say anything about setting pwdAccountLockedTime to a > value in the future; since it doesn't preclude it I've fixed up the code > to handle this case. However, it's not a good solution for your purpose, > since the pwdAccountLockedTime value is automatically replaced with the > current time if too many Bind failures occur, and it's automatically > deleted when a password is changed. We'll leave this in HEAD on an > experimental basis for now, until a real solution is spec'd out. Indeed. Moreover, a variable date field is not a practical field for sorting out valid accounts in search requests, for authorization purposes.
Anyway, thanks for the change. -- BOFH excuse #320: You've been infected by the Telescoping Hubble virus.
