[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap password policy approach

To: prasanta@netscape.com
Subject: ldap password policy approach
From: "Kurt D. Zeilenga" <kurt@openldap.org>
Date: Fri, 22 Oct 1999 12:09:51 -0700
Cc: ietf-ldapext@netscape.com
In-reply-to: <380CDFAA.FDF00D36@netscape.com>
Resent-date: Fri, 22 Oct 1999 12:21:11 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"-lGItB.A.p8C.liLE4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

As I've was rereading this draft, a few things struck me as
being overly complex.  Most of this complexity is caused
by enforcing policy when modify used to set credentials.

An alternative approach would be use a control sent with a
BindRequest to specify new credentials.  Here is a little
food for thought.

Basically, a simple bind request would only return success if:
	1) access controls permitted the operation,
	2) proper credentials were provided, and
	3) password policy was satisfied.

If, for example, the credentials have expired, the bindResponse
contain an invalidCredentials result, an appropriate text
message, and, if LDAPv3, a control indicating the reason
why the credentials are considered invalid.

To set credentials, the client would send an LDAPv3 simple
bindRequest with the current credentials and a control
containing the new credentials.  If all is well and
a rebind was not required by policy, a success would be
returned.  Otherwise the response would contain an appropriate
result code and, if appropriate, a control providing additional
information (such as rebind required).

A new attribute type could be provided to store encrypted
credentials.  This attribute could have a syntax that supported
equality match of the appropriate hash of client provided
value with the stored hash value.  An attribute type option
(;binary?) to indicate that client value should be matched
directly against the stored value.

Additionally, a control (enforcePasswordPolicy) could be
defined, and specified with operations that modify the stored
credentials, that would enable password policy processing.
A well behaving 3rd party authentication application would
provide an enforcePasswordPolicy critical control.

I believe such an approach would eliminates much of the
complexity associated with implementing password policy codes
with both clients and servers.

If there are others interested in this alternative approach,
I'd be willing to work with them on an I-D.
 
	Kurt


----
Kurt D. Zeilenga <Kurt@OpenLDAP.org>
OpenLDAP Project <http://www.OpenLDAP.org/>

References:
- please publish ldap password policy draft
  - From: prasanta@netscape.com (Prasanta Behera)

Prev by Date: Re: grant / deny precedence indraft-ietf-ldapext-acl-model-04.txt
Next by Date: Re: Comments on aci-model-04
Index(es):
- Chronological
- Thread