Andrew Findlay wrote:
On Tue, Feb 15, 2011 at 05:02:52AM -0800, Howard Chu wrote:
slapo-ppolicy.5 incorrectly includes the NO-USER-MODIFICATION flag in the schema fragments for pwdPolicySubentry and pwdAccountLockedTime.
That's how they were defined in the IETF Draft. The schema fragments in the manpage were copied directly from the spec. The fact that the current implementation deviates from the spec is just out of necessity to make things work at all in our present code base.
Certainly the use of pwdPolicySubentry differs from the intention of the draft (which I believe was intending to use real X.500-style subentries).
The case of pwdAccountLockedTime is arguable. draft-behera-ldap-password-policy-xx.txt says:
This attribute holds the time that the user's account was locked. A locked account means that the password may no longer be used to authenticate. A 000001010000Z value means that the account has been locked permanently, and that only a password administrator can unlock the account.
Unfortunately it says nothing about *how* a password administrator should do that when the attribute is marked NO-USER-MODIFICATION. I would argue that this is a deficiency in the draft, and that the current OpenLDAP behaviour is more useful.
Things will not always work this way...
Indeed, but I would prefer the manpages to reflect the reality of the current release!
I note that in ppolicy.c we have:
{ "( 1.3.6.1.4.1.42.2.27.8.1.17 " "NAME ( 'pwdAccountLockedTime' ) " "DESC 'The time an user account was locked' " "EQUALITY generalizedTimeMatch " "ORDERING generalizedTimeOrderingMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " "SINGLE-VALUE " #if 0 /* Not until Relax control is released */ "NO-USER-MODIFICATION " #endif "USAGE directoryOperation )",
We have in fact released support for the Relax control, so it's probably time to unifdef these bits and go back to the documented behavior.