On Tue, Feb 15, 2011 at 05:02:52AM -0800, Howard Chu wrote: > >slapo-ppolicy.5 incorrectly includes the NO-USER-MODIFICATION flag in the > >schema > >fragments for pwdPolicySubentry and pwdAccountLockedTime. > > That's how they were defined in the IETF Draft. The schema fragments > in the manpage were copied directly from the spec. The fact that the > current implementation deviates from the spec is just out of > necessity to make things work at all in our present code base.
Certainly the use of pwdPolicySubentry differs from the intention of the draft (which I believe was intending to use real X.500-style subentries). The case of pwdAccountLockedTime is arguable. draft-behera-ldap-password-policy-xx.txt says: This attribute holds the time that the user's account was locked. A locked account means that the password may no longer be used to authenticate. A 000001010000Z value means that the account has been locked permanently, and that only a password administrator can unlock the account. Unfortunately it says nothing about *how* a password administrator should do that when the attribute is marked NO-USER-MODIFICATION. I would argue that this is a deficiency in the draft, and that the current OpenLDAP behaviour is more useful. > Things will not always work this way... Indeed, but I would prefer the manpages to reflect the reality of the current release! Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------
