[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Otpasswd-talk] Today's daily observations
|
From: |
Hannes Beinert |
|
Subject: |
[Otpasswd-talk] Today's daily observations |
|
Date: |
Thu, 7 Jan 2010 11:17:57 -0600 |
Tomasz,
You write in the ChangeLog:
+ * [%] User can always remove DISABLED flag if he can regenerate state.
+ Should he be allowed to do this?
I think there are two types of "disabled" that might be considered.
First, there is the situation where the sysadmin wants to force a
regeneration. This is essentially what DISABLED means right now,
AFAICT. Namely, the sysadmin disables the user, and the user is able
to regenerate while being able to reuse his old configuration. That's
definitely useful. The second type of DISABLED is where the sysadmin
wants to say "you're disabled, and don't come back until I say so".
Currently, I think this can only be done by removing/disabling a user
while disallowing key generation by policy. It would be cool if there
were a "finer grained" way to do this. You might consider something
like an EXPIRED flag, which if set can only be removed by
regeneration. Then, change the semantics of the DISABLED flag to give
it the second meaning...?
Incidentally, I have yet to digest your description on oob handling.
I will get to that. ;-)
Good early evening to you!
Hannes.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Otpasswd-talk] Today's daily observations,
Hannes Beinert <=