19 Dec
2015
19 Dec
'15
10:29 a.m.
Emmanuel Lecharny wrote:
That makes sense. An even smarter system would use the administrative model to handle password policies.
Yes.
Le samedi 19 décembre 2015, <ludovic.poitou@gmail.com mailto:ludovic.poitou@gmail.com> a écrit :
In my opinion, the pwdPolicySubentry attribute should be read-only generated by the server.
Agreed. That's how it always should have worked, but since we didn't have a real subEntry implementation, this is what we got.
We had made the error in Sun Directory Server to allow customers to set it manually, and it was very confusing that the attribute served 2 roles : a way to find the pwd policy entry applicable for the entry, and a way to set a different or new policy for an account. In OpenDJ ( and all other servers from the same code base) we use 2 different attributes. That separation made it easier to handle for applications and administrators.
Makes sense.
My 2 cents Ludo-- Regards, Cordialement, Emmanuel Lécharny www.iktek.com http://www.iktek.com
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/