[email protected] wrote: > Andrew Findlay wrote: >> On Thu, Jun 09, 2011 at 01:45:17AM -0700, Howard Chu wrote: >> >>> I note that in ppolicy.c we have: >>> >>> { "( 1.3.6.1.4.1.42.2.27.8.1.17 " >>> "NAME ( 'pwdAccountLockedTime' ) " >>> "DESC 'The time an user account was locked' " >>> "EQUALITY generalizedTimeMatch " >>> "ORDERING generalizedTimeOrderingMatch " >>> "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " >>> "SINGLE-VALUE " >>> #if 0 >>> /* Not until Relax control is released */ >>> "NO-USER-MODIFICATION " >>> #endif >>> "USAGE directoryOperation )", >>> >>> We have in fact released support for the Relax control, so it's >>> probably time to unifdef these bits and go back to the documented >>> behavior. >> >> That seems reasonable in the long term, though it will break many sites' >> existing password management procedures. The change will have to be >> mentioned in the updated manpage, noting the version at which it takes >> effect. >> >> Should I produce an updated version of the manpage patch? > > Well since you raise the question, what do you think is the more sensible > approach to all of this? I was the one who argued in ldapext that these > attributes should be no-user-modification but perhaps that makes them too > inconvenient to administer.
Given the fact that the Relax Rules control still has .666 OID it cannot be used (see my related messages to openldap-devel and ietf-ldapext). At least what's always being said about .666 OIDs... Ciao, Michael.
