On Thu, Jun 09, 2011 at 01:45:17AM -0700, Howard Chu wrote:

I note that in ppolicy.c we have:

{   "( 1.3.6.1.4.1.42.2.27.8.1.17 "
    "NAME ( 'pwdAccountLockedTime' ) "
    "DESC 'The time an user account was locked' "
    "EQUALITY generalizedTimeMatch "
    "ORDERING generalizedTimeOrderingMatch "
    "SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 "
    "SINGLE-VALUE "

#if 0 /* Not until Relax control is released */ "NO-USER-MODIFICATION " #endif "USAGE directoryOperation )",

We have in fact released support for the Relax control, so it's probably time to unifdef these bits and go back to the documented behavior.

That seems reasonable in the long term, though it will break many sites' existing password management procedures. The change will have to be mentioned in the updated manpage, noting the version at which it takes effect.

Should I produce an updated version of the manpage patch?

Andrew