Am Sat, 19 Dec 2015 18:29:32 +0000 schrieb Howard Chu hyc@symas.com:
Emmanuel Lecharny wrote:
That makes sense. An even smarter system would use the administrative model to handle password policies.
Yes.
Le samedi 19 décembre 2015, <ludovic.poitou@gmail.com mailto:ludovic.poitou@gmail.com> a écrit :
In my opinion, the pwdPolicySubentry attribute should beread-only generated by the server.
Agreed. That's how it always should have worked, but since we didn't have a real subEntry implementation, this is what we got.
We had made the error in Sun Directory Server to allowcustomers to set it manually, and it was very confusing that the attribute served 2 roles : a way to find the pwd policy entry applicable for the entry, and a way to set a different or new policy for an account.
In OpenDJ ( and all other servers from the same code base) weuse 2 different attributes. That separation made it easier to handle for applications and administrators.
Makes sense.
My 2 cents
This thread should be moved to ldapext@ietf.org
-Dieter