[Date Prev][Date Next] [Chronological] [Thread] [Top]

Password Policy for LDAP Directories

To: ietf-ldapbis@OpenLDAP.org
Subject: Password Policy for LDAP Directories
From: Gabriele Garuglieri <gabriele.garuglieri@infoblu.it>
Date: Thu, 09 Sep 2004 13:58:17 +0200
Organization: Infoblu spa
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803

I 'm writing some java classes that are dealing with PasswordPolicyResponseValue and i'm having some doubts about the Behera draft. I'd be glad if someone could clarify the points that follow these two quotes from Behera draft: ------- 4.3.4 pwdExpirationWarned

  This attribute contains the time when the password expiration
  warning was first sent to the client. The password will expire in
  the pwdExpireWarning time.

-------
     D. Calculates whether the time before expiration warning should
        be sent.

        If the pwdExpireWarning attribute is present and contains a
        value, the server MUST perform the following steps.

            If the pwdExpirationWarned attribute is present and has a
            time value, the warning time is the value of the
            pwdExpirationWarned attribute plus the value of the
            pwdExpireWarning attribute minus the current time.

            If the pwdExpirationWarned attribute is not present, the
            server MUST subtract the current time from the time stored
            in pwdChangedTime to arrive at the password's age. If the
            age is greater than the value of the pwdMaxAge attribute
            minus the value of the pwdExpireWarning attribute, the
            server MUST set the current time as the value of the
            pwdExpirationWarned attribute, and the warning time is the
            value of pwdMaxAge minus the password's age.
-------

Reading the above i come to the following assumptions, please correct me if they are wrong:

1- the password will expire at (pwdExpirationWarned plus pwdExpireWarning) date. 2- the first time i bind within the warning period, when the pwdExpirationWarned is not yet initialized, the calculated warning time is equal to (pwdChangedTime plus pwdMaxAge) minus current time. 3- the second time i bind within the warning period, when the pwdExpirationWarned is already initialized, the calculated warning time is equal to (pwdExpirationWarned plus pwdExpireWarning) minus current time, which is a a value surely larger than the one calculated during the first bind.

The last two points have the following implications:

4- if i calculate the expiration date using the returned warning time i obtain two different values between first and any subsequent bind within the warning period, which i think is not very consistent. 5- the real expiration date can be extended well beyond the (pwdChangedTime plus pwdMaxAge), depending on when i first bind during the warning period, almost up to (pwdChangedTime plus pwdMaxAge plus pwdExpireWarning) if my fist bind within the warning period falls within the last usable second of (pwdChangedTime plus pwdMaxAge) time.

Last but least, i'm experimenting with Tivoli Directory server 5.1, whose behaviour seems to be happily ignoring all of the above, because the returned warning time, independently from any pwdExpirationWarned value, is ALWAYS (pwdChangedTime plus pwdMaxAge) minus current time. Can, please, someone shed some light on the correct Behera draft meaning?

Thanks, Gabriele.

Follow-Ups:
- Re: Password Policy for LDAP Directories
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: RE: NOT filter question
Next by Date: Re: Password Policy for LDAP Directories
Index(es):
- Chronological
- Thread