[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: comments on ldap password policy draft

Kurt.

>>	In this document, the
>>      term "user" represents any application which is an LDAP client
>>      using the directory to retrieve or store information.
>
>This terminology might be confusing when discussiong 3rd party
>authenication applications.  I suggest using user to refer to
>the entity being authenticated and client to refer LDAP
>application which is submitting LDAP requests on behalf of this
>entity.

Good idea.

>>
>>      ( pwdSchema.1.4
>>        NAME 'pwdCheckSyntax'
>>        DESC'a flag which indicates whether the password syntax will be
>>            checked before the password is saved'
>
>'Syntax' implies that this is enabling a schema check.  It's
>actually enables various checks for password restrictions.
>I would suggest renaming this attribute or, at least,
>changing this attribute's description.

Agreed.

>>      ( pwdSchema.1.5
>>        NAME 'pwdExpireWarning'
>>        DESC'the maximum number of seconds before a password is due to
>>            expire that a warning message is to the user. A value of 0
>>            means no warning will be sentÆ
>
>Sounds like the user is going to be sent an unsolicited notification
>message of some sort.

The only time the user will see a message is via a control on the bind response.

>>	( pwdSchema.1.11
>>	  NAME 'pwdDefaultStorageScheme'
>>        DESC'the type of hash algorithm used to store directory server
>>            passwords'
>
>used 'by default'.   That is, that scheme which is currently used
>for generation of hashed password values for storage purposes.
>Also, I would like to see an attribute which enumerates
>which hash algorithms are currently supported for checking passwords.
>Many servers can support checking against multiple hash algorithms
>([S]MD5, [S]SHA, crypt, etc.).  That is, you can change the policy
>for generation of passwords for storage purposes while to support
>checking against both new and old hash algorithms.

I agree we need to make the description more clear.  Your second point, asks for a new attribute which advertises the server's comparison/checking capabilities. Does this add value other than making a client aware of the possible storage schemes?  If not, I'd again like to see what comes of these two drafts in the works <crypt attribute subtype for userPassword> and <advertisement of attribute type options> before creating this new attribute.

>>      The description of password storage scheme can be found in [RFC-
>>      2307].
>
>It should be noted two storage schemes can be found in RFC-2307.
>Also note that RFC-2307 is has a few holes, such as it doesn't
>describe how the encryptedpassword should encoded to string.  I
>suggest that such details be left to implementations (and
>future drafts) and remove from this draft all dependency upon
>RFC-2307.

We could remove the reference and either refer to another standards track draft or simply enumerate valid values in this draft.

>>   4.4 Attribute types used by the pwdInfObject Object Class
>>
>>      ( pwdInfObject.1.1
>>        NAME 'pwdExpirationTime'
>>        DESC'the time the entry's password expires. A 0 means that the
>>            password has expired. If this attribute does not exist, the
>>            password will never expire'
>
>If an administrator changes expiration policy, each pwdExpirationTime
>in that policy would need to be adjusted.  If an administrator
>didn't previously have an expiration policy, it not possible to
>establish an pwdExpirationTime specific to this entry and as
>until the administrator does add some pwdExpirationTime value,
>the current password will never expirse.  If a password expiration
>policy is in affect, no pwdExpirationTime should imply 'has expired'.
>
>I would suggest that this attribute be replaced with an attribute
>which would serve as timestamp for each password modification.
>This would allow for a expiration policy change to made with
>requiring change to each entry under that policy.  The password
>of an entry without a such timestamp would be considerred expired
>if an expiration policy was in effect.

pwdExpirationTime, is essentially a future time to expire is calculated once and simply compared to the current time when checking for expiration.  Your suggestion would cause a calculation to happen each time a bind occurs. So I guess we need to decide which is the lesser of two evils, re-calculating expirations when the policy changes or the overhead of calculating at each bind. Thinking...

>>   5. Password Expiration and Expiration Warning
>>
>>      The attributes pwdMaxAge and pwdExpireWarning are defined to
>>      specify when the password expires and when a warning message will
>>      be sent to the client respectively.
>
>Again, sounds like the server should send an unsolicited notification
>of some sort...

Same as above, there's just a control on the bindRequest. We should clarify.

>>	The actual expiration time
>>      for a password will be stored in the pwdExpirationTime attribute
>>      of the user entry.
>
>As noted above, this requires each entry under the policy to be
>updated whenever the expiration policy changes.

Right.

>>   8. Password Syntax and Minimum length
>>      The pwdCheckSyntax attribute indicates whether the password
>>      syntax will be checked before a new password is saved.
>
>I suggest s/syntax/restrictions/.

Yes.

>>      If the client is sending an encrypted password as the new
>>      password then it becomes the client responsibility to make sure
>>      that the password meets the minimum length and other constraints.
>
>There should be a requirement that servers publish password
>policy to any client which can modify an attribute under the
>policy. (Much like the requirement to publish schema for any
>attribute that a client can modify).

This should be done through the RootDSE, Section 14 needs to address how the password policies are published and associated with specific entries. This issue is a hole we decided to deal with in the next rev.

>>   9. User Defined Passwords
>>
>>      This policy defines whether the users can change their own
>>      passwords.
>>      During modify password operation, the server should check if the
>>      user is allowed to change password. If not, the server should
>>      send to the client the LDAP_UNWILLING_TO_PERFORM result code and
>>      an error message to indicate that the user is not allowed to
>>      change the password. Note that the userPassword attribute may be
>>      protected via ACLs also and the user must have necessary
>>      privilege to modify the userPassword attribute values.
>
>Which checks, access policy or password policy, are applied first.
>That is, if a modify operation violates both policies, which error
>will be returned.  I would assume access controls would be applied
>first.

Right, we can clarify that.

>>      After that, for any operation issued by the user other than
>>      modify password, bind, unbind, or abandon the server should send
>>      the response message with the resultCode:
>>      LDAP_UNWILLING_TO_PERFORM, and should include the password
>>      expired control in the controls field of the response message:
>
>All this special unwillingToPerform behavior gives me the willies.

In this case at least, the unwillingToPerform result is accompanied by a control that tells the client what's going on.

>>
>>      In ldif format:
>
>Nit: No DN, not valid LDIF (no DN).  And 'LDIF format' is redundant.
>And a reference, please.

Thanks.

>>         pwdStorageScheme: SHA
>
>Should be pwdDefaultStorageScheme.

Right.

>More later...

Thanks Kurt.