--- Comment #4 from Michael Ströder <michael(a)stroeder.com> ---
(In reply to Ondřej Kuzník from comment #3)
On Tue, Sep 07, 2021 at 08:30:27PM +0000, openldap-its(a)openldap.org
then we should revisit the Behera draft and check where it makes sense
for attribute to be marked NO-USER-MODIFICATION.
My attempt to revive ietf-ldapext WG was not successful.
So this is not an option.
I've already had to
make changes to the local version where things were omitted:
Hmm, not sure whether that leads to more interoperability.
Sounds like adding manage permissions on the attribute (and maybe
"entry" attribute) could be a targeted way of allowing this operation?
I strongly dislike having to use the Relax Rules control to let the admin
change pwdPolicySubentry. IMO this control must only be used in exceptional
administrative use-cases. I have a very strong opinion on this.
In my local OpenLDAP 2.5.x builds I now simply remove NO-USER-MODIFICATION.
Ideally I'd prefer not having to deal with pwdPolicySubentry at all. But until
ITS#9343 is implemented NO-USER-MODIFICATION should be removed.
Another solution would be to have a separate attribute fooPasswordPolicy (or
whatever name you'd prefer) for overriding per entry the computed
pwdPolicySubentry. It also allows to always compute the effective
pwdPolicySubentry including applying defaults. This is the approach at least
one other LDAP server implements.
You are receiving this mail because:
You are on the CC list for the issue.