[x500standard] Re: [ldapext] Password Policy Administrative Model
- From: Kurt Zeilenga <Kurt.Zeilenga@xxxxxxxxx>
- To: Andrew Sciberras <andrew.sciberras@xxxxxxxxxxx>
- Date: Mon, 31 Mar 2008 22:50:20 -0700
On Mar 31, 2008, at 10:16 PM, Andrew Sciberras wrote:
Hi Kurt,
Just some comments that are specific to the administrative model.
3. Password Policy Administrative Model
Administrative Area Scope
In [BEHERA] it was stated that a password policy could be defined
for a
specific user by creating a password policy subentry directly under
that
entry. To me, this suggests that password policy administrative
points act
like specific administrative areas.
Is this behavior intended to remain?
Yes.
Administrative Role
In accordance with X.501 and RFC3672, do you intend to define an
Administrative Role attribute value to identify that a particular
administrative area is concerned with password policy administration?
Yes.
Multiple Policies
I assume that the draft allows multiple passwdPolicy subentries to
exist
below a given administrative point... This should be explicitly
clarified in
the I-D.
Multiple subentries could be used to allow policies to apply to
different
attributes, or to allow different policies to apply to a given
password
attribute conditionally, based on the objectClass of an entry (~ using
subtreeSpecification's).
However, policies may also be created that inadvertently (or
otherwise)
conflict with each other.
Clarifications on this should probably be made to avoid confusion.
My intent is for each entry to be governed by at most one password
policy,
the policy governing entries within a specific administrative area.
-- Kurt
-----
www.x500standard.com: The central source for information on the X.500 Directory
Standard.
- Follow-Ups:
- [x500standard] Re: [ldapext] Password Policy Administrative Model
- From: Andrew Sciberras
- References:
- [x500standard] Password Policy Administrative Model
- From: Andrew Sciberras
Other related posts:
- » [x500standard] Re: [ldapext] Password Policy Administrative Model
- » [x500standard] Re: [ldapext] Password Policy Administrative Model
- » [x500standard] Re: [ldapext] Password Policy Administrative Model
- » [x500standard] Re: [ldapext] Password Policy Administrative Model - David Chadwick
Hi Kurt, Just some comments that are specific to the administrative model.
3. Password Policy Administrative Model
Administrative Area ScopeIn [BEHERA] it was stated that a password policy could be defined for a specific user by creating a password policy subentry directly under that entry. To me, this suggests that password policy administrative points act
like specific administrative areas. Is this behavior intended to remain?
Administrative Role In accordance with X.501 and RFC3672, do you intend to define an Administrative Role attribute value to identify that a particular administrative area is concerned with password policy administration?
Multiple PoliciesI assume that the draft allows multiple passwdPolicy subentries to exist below a given administrative point... This should be explicitly clarified in
the I-D.Multiple subentries could be used to allow policies to apply to different attributes, or to allow different policies to apply to a given password
attribute conditionally, based on the objectClass of an entry (~ using subtreeSpecification's).However, policies may also be created that inadvertently (or otherwise)
conflict with each other. Clarifications on this should probably be made to avoid confusion.
- [x500standard] Re: [ldapext] Password Policy Administrative Model
- From: Andrew Sciberras
- [x500standard] Password Policy Administrative Model
- From: Andrew Sciberras