[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: please publish ldap password policy draft

To: Jim Sermersheim <JIMSE@novell.com>
Subject: Re: please publish ldap password policy draft
From: "Kurt D. Zeilenga" <kurt@openldap.org>
Date: Thu, 21 Oct 1999 21:54:01 -0700
Cc: prasanta@netscape.com, ietf-ldapext@netscape.com
In-reply-to: <s80f5865.065@prv-mail20.provo.novell.com>
Resent-date: Thu, 21 Oct 1999 22:03:29 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"JcVKr.A.HpE.8_-D4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 06:16 PM 10/21/99 -0600, Jim Sermersheim wrote:
>>a) compare must use octetStringMatch
>This draft avoids talking about how the actual comparison takes place.

Well, I argue that you actual comparison (and other simple
operations) acting upon userPassword are already well defined
by existing specifications.

>>b) servers cannot encrypt (or hash) the password and store
>>   it in userPassword.
>I don't want to use this document to re-hash (he he) the whole 'syntax of userPassword' discussion we've had twice now.

That wasn't my point.  userPassword is what it is.  Two standard
track documents should not be in direct conflict.  The conflict
should be resolved before the I-D is progressed.

I believe it would be wise to not meantion userPassword in your
draft.  I suggest adding an attribute type to the policy which
describes the attribute type that stores the hashed password
value.  Then, if implementors and/or admins choose to abuse
userPassword, they do so... but at their own risk.

- Kurt

----
Kurt D. Zeilenga <Kurt@OpenLDAP.org>
OpenLDAP Project <http://www.OpenLDAP.org/>

Prev by Date: Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
Next by Date: draft-bartz-directory-composite-objects-00.txt
Index(es):
- Chronological
- Thread