[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6084) ppolicy should allow scheduled password expiration



Howard Chu a écrit :
> Guillaume Rousse wrote:
>> Howard Chu a écrit :
>>> Since the ppolicy module's behavior is dictated by the Behera draft, any
>>> suggestions for changes in this area should probably first be raised on
>>> the ietf-ldapext mailing list.
>> Right, but openldap implementation already have extension, such
>> pwdCheckModule. Additional extension could be implemented, before
>> getting standardized.
>>
>> Also, the ietf-ldapext seems to be an highly-technical list, and I don't
>> feel confortable enough to post this kind of request directly there.
>> Discussing various limitations of ppolicy among openldap users first
>> would probably allow openldap core team to suggest a more polished
>> extension request themselves.
> 
> The draft doesn't say anything about setting pwdAccountLockedTime to a 
> value in the future; since it doesn't preclude it I've fixed up the code 
> to handle this case. However, it's not a good solution for your purpose, 
> since the pwdAccountLockedTime value is automatically replaced with the 
> current time if too many Bind failures occur, and it's automatically 
> deleted when a password is changed. We'll leave this in HEAD on an 
> experimental basis for now, until a real solution is spec'd out.
Indeed. Moreover, a variable date field is not a practical field for 
sorting out valid accounts in search requests, for authorization purposes.

Anyway, thanks for the change.
-- 
BOFH excuse #320:

You've been infected by the Telescoping Hubble virus.