[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] Password Policy OIDs
- To: Jim Sermersheim <jimse@novell.com>
- Subject: Re: [ldapext] Password Policy OIDs
- From: Andrew Sciberras <andrew.sciberras@eB2Bcom.com>
- Date: Thu, 28 Oct 2004 09:34:40 +1000
- Cc: ldapext@ietf.org
- In-reply-to: <s17fd8d5.086@sinclair.provo.novell.com>
- Organization: eB2Bcom
- References: <s17fd8d5.086@sinclair.provo.novell.com>
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910
Jim Sermersheim wrote:
Andrew Sciberras <andrew.sciberras@eB2Bcom.com> 10/27/04
4:15:15 PM >>>
There is a TODO statement in -08 for this (Section 10).
Sorry, I guess I should open my eyes!
FWIW, this is what finally pushed me into raising the thread on the
list * Do I get another OID from the Netscape folks? Do I add the
first IANA_ASSIGNED oid? I'd rather move to all IANA_ASSIGNED oids at
the same time I assign the administrative role OID.
Here's what we did:
* Defined our own temporary internal OID for the admin role
We also need to dscribe how these administrative areas work. Can they
overlap?
* No overlapping - i.e Specific Administrative Area
We made this decision based on the comment:
"It SHOULD be possible to overwrite the password policy for one
user by defining a new policy in a subentry of the user entry."
Can they be defined in a way that causes some objects to be
governed by no pwd policy subentry?
* Yes, we can do this through the subtreeSpecification attribute
Can one object be governed by multiple pwd policy subentries?
> If so, must each governing subentry list a unique pwd attribute?
Not sure what your asking here... Is an object and entry or a password
attribute?
Many subentries can apply to a single entry. If there are multiple
password policy subentries under the one administrative point then I
think that they should all be distinctly different. Essentially, no two
policies should be able to be applied to the attribute within an entry.
This may be hard to manage, so it probably would be easier to simply say
that "each governing subentry list a unique pwd attribute".
Jim
Andrew Sciberras.
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext