Re: ldap password policy approach

[Jim Sermersheim <JIMSE@novell.com>]

>>> "Kurt D. Zeilenga" <kurt@openldap.org> 10/22/99 1:22:33 PM >>>
>As I've was rereading this draft, a few things struck me as
>being overly complex.  Most of this complexity is caused
>by enforcing policy when modify used to set credentials.
>
>An alternative approach would be use a control sent with a
>BindRequest to specify new credentials.  Here is a little
>food for thought.

Kurt, I think we should try to use existing LDAP functionality where it makes sense, and only turn to controls/extensions when that fails or becomes a poor fit.

That said, I think using LDAP modify to modify your password is not so much of a leap that it's confusing or poor design, perhaps there are some things that the draft spells out which could be made less complex, I'd rather look at reducing complexity that way than proliferating  controls/extensions.

<snip>

>Additionally, a control (enforcePasswordPolicy) could be
>defined, and specified with operations that modify the stored
>credentials, that would enable password policy processing.
>A well behaving 3rd party authentication application would
>provide an enforcePasswordPolicy critical control.

I'd really like to keep the onus of password policy enforcement on the server.  If clients can dictate when and how to enforce security related policies, how does an administrator ensure security? Who polices all the 3rd party authentication applications to make sure they're well behaved?

I'd really like to talk in specifics about where the complexities that you've observed lie, and try to address them.

Jim