David Chadwick wrote:
Other: One feature that both X.509 certificates and Kerberos tickets provide, that is missing in this and the LDAP specs, is a pwdStartDate parameter. There are expiration attributes to control when a credential stops being valid, but no corresponding parameter to control when it starts being valid. In addition to allowing credentials to be disabled due to failed authentications, and due to passing a fixed expiration date, administrators frequently request a generic "disabled" boolean flag, for miscellaneous non-time-related reasons.
Looks like I forgot about this. Just to note: I've added pwdStartDate and pwdEndDate to the LDAP ppolicy draft, and suggested that setting pwdStartDate to a value greater than pwdEndDate can be used for the same effect as a generic "disabled" flag.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.