[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6084) ppolicy should allow scheduled password expiration

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6084) ppolicy should allow scheduled password expiration
From: hyc@symas.com
Date: Tue, 30 Jun 2009 10:26:24 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Guillaume Rousse wrote:
> Howard Chu a écrit :
>> Since the ppolicy module's behavior is dictated by the Behera draft, any
>> suggestions for changes in this area should probably first be raised on
>> the ietf-ldapext mailing list.
> Right, but openldap implementation already have extension, such
> pwdCheckModule. Additional extension could be implemented, before
> getting standardized.
>
> Also, the ietf-ldapext seems to be an highly-technical list, and I don't
> feel confortable enough to post this kind of request directly there.
> Discussing various limitations of ppolicy among openldap users first
> would probably allow openldap core team to suggest a more polished
> extension request themselves.

The draft doesn't say anything about setting pwdAccountLockedTime to a value 
in the future; since it doesn't preclude it I've fixed up the code to handle 
this case. However, it's not a good solution for your purpose, since the 
pwdAccountLockedTime value is automatically replaced with the current time if 
too many Bind failures occur, and it's automatically deleted when a password 
is changed. We'll leave this in HEAD on an experimental basis for now, until a 
real solution is spec'd out.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: Re: (ITS#6163) back-sql DoS when searching for empty attr
Next by Date: (ITS#6190) back-meta tls start only works when set before any target specification
Index(es):
- Chronological
- Thread