[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: comments on ldap password policy draft

To: Jim Sermersheim <JIMSE@novell.com>
Subject: Re: comments on ldap password policy draft
From: "Kurt D. Zeilenga" <kurt@boolean.net>
Date: Mon, 25 Oct 1999 14:36:25 -0700
Cc: Kurt@OpenLDAP.Org, ietf-ldapext@netscape.com, prasanta@netscape.com
In-reply-to: <s81434ef.042@prv-mail20.provo.novell.com>
Resent-date: Mon, 25 Oct 1999 14:34:50 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"9NW6vC.A.z0B.yzMF4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

At 10:46 AM 10/25/99 -0600, Jim Sermersheim wrote:
>>If you want to avoid the policy fetch for each bind, you
>>could store both a timestamp of last password modification
>>and the expiration time.
>
>I'm not sure how that would help. Wouldn't we still need to look at the policy (in case it changed?)

No.  pwdExpirationTime would be computed on every policy change
based upon pwdPasswordTimeStamp.  The advantage of having
pwdPasswordTimeStamp is that you have a reference time to
use in computing pwdExpirationTime.

If pwdPasswordTimeStamp didn't exist for some reason when the
policy was changed, then you would have to fall back to either:
	1) expire now
	2) expire policy seconds from now.

The choice, of course, could be a matter of policy.

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>

Follow-Ups:
- pwdExpirationTime and SINGLE-VALUE
  - From: "Kurt D. Zeilenga" <kurt@boolean.net>

Prev by Date: Re: Comments on aci-model-04
Next by Date: Re: Attribute groupings
Index(es):
- Chronological
- Thread