[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap password policy approach

To: kurt@boolean.net
Subject: Re: ldap password policy approach
From: Jim Sermersheim <JIMSE@novell.com>
Date: Wed, 27 Oct 1999 20:21:59 -0600
Cc: ietf-ldapext@netscape.com, prasanta@netscape.com, kurt@openldap.org
Content-disposition: inline
Resent-date: Wed, 27 Oct 1999 19:22:18 -0700 (PDT)
Resent-from: ietf-ldapext@netscape.com
Resent-message-id: <"ojtw7.A.oDG.SN7F4"@glacier>
Resent-sender: ietf-ldapext-request@netscape.com

Kurt,

If we open the discussion up to LDAP applications in general rather than talk specifically about authentication applications, I don't think an administrator can realistically enforce well behaved applications. Since LDAP is an open protocol, and surely there is/will be a wide array of applications that are LDAP enabled, how can an administrator prevent a 'naughty' LDAP application from being run at my desktop?

<The original discussion had to do with whether the server or the client should enforce password policy when modifying the password. You had suggested an enforcePasswordPolicy control to be used with the modify request>

Jim

>>> "Kurt D. Zeilenga" <kurt@boolean.net> 10/23/99 11:38:06 AM >>>
At 02:20 PM 10/22/99 -0600, Jim Sermersheim wrote:
>>>> "Kurt D. Zeilenga" <kurt@openldap.org> 10/22/99 1:22:33 PM >>>

> Who polices all the 3rd party authentication applications to
> make sure they're well behaved?

The administrator.  No approach which can stop a 3rd party
authentication application from circumventing the password
policy.  It's up to the administrator to choose well behaved
applications (and to define "well behaved").

----
Kurt D. Zeilenga		<kurt@boolean.net>
Net Boolean Incorporated	<http://www.boolean.net/>

Follow-Ups:
- Re: ldap password policy approach
  - From: "Kurt D. Zeilenga" <kurt@boolean.net>

Prev by Date: Re: ldap password policy approach
Next by Date: Re: comments on ldap password policy draft
Index(es):
- Chronological
- Thread