On Tue, Feb 15, 2011 at 05:02:52AM -0800, Howard Chu wrote: Certainly the use of pwdPolicySubentry differs from the intention of the draft (which I believe was intending to use real X.500-style subentries). The case of pwdAccountLockedTime is arguable. draft-behera-ldap-password-policy-xx.txt says: This attribute holds the time that the user's account was locked. A locked account means that the password may no longer be used to authenticate. A 000001010000Z value means that the account has been locked permanently, and that only a password administrator can unlock the account. Unfortunately it says nothing about *how* a password administrator should do that when the attribute is marked NO-USER-MODIFICATION. I would argue that this is a deficiency in the draft, and that the current OpenLDAP behaviour is more useful. Indeed, but I would prefer the manpages to reflect the reality of the current release! Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------