hyc@symas.com wrote:
Andrew Findlay wrote:
On Thu, Jun 09, 2011 at 01:45:17AM -0700, Howard Chu wrote:
I note that in ppolicy.c we have:
{ "( 1.3.6.1.4.1.42.2.27.8.1.17 " "NAME ( 'pwdAccountLockedTime' ) " "DESC 'The time an user account was locked' " "EQUALITY generalizedTimeMatch " "ORDERING generalizedTimeOrderingMatch " "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 " "SINGLE-VALUE "#if 0 /* Not until Relax control is released */ "NO-USER-MODIFICATION " #endif "USAGE directoryOperation )",
We have in fact released support for the Relax control, so it's probably time to unifdef these bits and go back to the documented behavior.
That seems reasonable in the long term, though it will break many sites' existing password management procedures. The change will have to be mentioned in the updated manpage, noting the version at which it takes effect.
Should I produce an updated version of the manpage patch?
Well since you raise the question, what do you think is the more sensible approach to all of this? I was the one who argued in ldapext that these attributes should be no-user-modification but perhaps that makes them too inconvenient to administer.
Given the fact that the Relax Rules control still has .666 OID it cannot be used (see my related messages to openldap-devel and ietf-ldapext). At least what's always being said about .666 OIDs...
Ciao, Michael.
-
michael@stroeder.com