[Date Prev][Date Next]
Re: Password Policy for LDAP Directories
As discussion of LDAP extensions is generally off-topic here
(see the IETF LDAPBIS charter), I ask that you (and those who
might want to respond to your post) take this topic to the
<firstname.lastname@example.org> mailing list.
At 04:58 AM 9/9/2004, Gabriele Garuglieri wrote:
>I 'm writing some java classes that are dealing with PasswordPolicyResponseValue and i'm having some doubts about the Behera draft. I'd be glad if someone could clarify the points that follow these two quotes from Behera draft:
> This attribute contains the time when the password expiration
> warning was first sent to the client. The password will expire in
> the pwdExpireWarning time.
> D. Calculates whether the time before expiration warning should
> be sent.
> If the pwdExpireWarning attribute is present and contains a
> value, the server MUST perform the following steps.
> If the pwdExpirationWarned attribute is present and has a
> time value, the warning time is the value of the
> pwdExpirationWarned attribute plus the value of the
> pwdExpireWarning attribute minus the current time.
> If the pwdExpirationWarned attribute is not present, the
> server MUST subtract the current time from the time stored
> in pwdChangedTime to arrive at the password's age. If the
> age is greater than the value of the pwdMaxAge attribute
> minus the value of the pwdExpireWarning attribute, the
> server MUST set the current time as the value of the
> pwdExpirationWarned attribute, and the warning time is the
> value of pwdMaxAge minus the password's age.
>Reading the above i come to the following assumptions, please correct me if they are wrong:
>1- the password will expire at (pwdExpirationWarned plus pwdExpireWarning) date.
>2- the first time i bind within the warning period, when the pwdExpirationWarned is not yet initialized, the calculated warning time is equal to (pwdChangedTime plus pwdMaxAge) minus current time.
>3- the second time i bind within the warning period, when the pwdExpirationWarned is already initialized, the calculated warning time is equal to (pwdExpirationWarned plus pwdExpireWarning) minus current time, which is a a value surely larger than the one calculated during the first bind.
>The last two points have the following implications:
>4- if i calculate the expiration date using the returned warning time i obtain two different values between first and any subsequent bind within the warning period, which i think is not very consistent.
>5- the real expiration date can be extended well beyond the (pwdChangedTime plus pwdMaxAge), depending on when i first bind during the warning period, almost up to (pwdChangedTime plus pwdMaxAge plus pwdExpireWarning) if my fist bind within the warning period falls within the last usable second of (pwdChangedTime plus pwdMaxAge) time.
>Last but least, i'm experimenting with Tivoli Directory server 5.1, whose behaviour seems to be happily ignoring all of the above, because the returned warning time, independently from any pwdExpirationWarned
>value, is ALWAYS (pwdChangedTime plus pwdMaxAge) minus current time.
>Can, please, someone shed some light on the correct Behera draft meaning?