Re: Attribute pwdPolicySubentry

That makes sense. An even smarter system would use the administrative model to handle password policies.

Le samedi 19 décembre 2015, ludovic.poitou@gmail.com a écrit :

In my opinion, the pwdPolicySubentry attribute should be read-only generated by the server.

We had made the error in Sun Directory Server to allow customers to set it manually, and it was very confusing that the attribute served 2 roles : a way to find the pwd policy entry applicable for the entry, and a way to set a different or new policy for an account.

In OpenDJ ( and all other servers from the same code base) we use 2 different attributes. That separation made it easier to handle for applications and administrators.

My 2 cents

Ludo