https://bugs.openldap.org/show_bug.cgi?id=9671
--- Comment #9 from Ondřej Kuzník ondra@mistotebe.net --- So looking at the attributes that have "NO-USER-MODIFICATION USAGE directoryOperation" on right now:
- pwdChangedTime: pretty sure that one should stay - pwdAccountLockedTime: this is how accounts are locked, so I think we have to allow some modification as locking someone's account is a common use case - pwdFailureTime: managed by ppolicy, should stay - pwdHistory: managed by ppolicy, should stay - pwdGraceUseTime: managed by ppolicy, should stay - pwdPolicySubentry: discussed already, will remove it until ITS#9343 when it (or something along those lines) gets added again - pwdStartTime/pwdEndTime: are administrator managed, I suggest we remove the flags - pwdLastSuccess: managed by core, should stay - pwdAccountTmpLockoutEnd: internal to ppolicy (not part of draft), should stay as is
Comments/dissenting arguments welcome.