Re: ldap password policy approach

[Ludovic Poitou <ludovic.poitou@france.Sun.COM>]

Prasanta Behera wrote:

> "Kurt D. Zeilenga" wrote:
>
> > At 08:12 PM 10/27/99 -0600, Jim Sermersheim wrote:
> > >What do you think?
> >
> > I concur that the password policy should be divorced from the
> > password storage.  It's my view that, like RFC2251, the password
> > policy should not place any restrictions upon how servers store
> > credentials.
> >
> > As far as the pwdHistory attribute type, I would suggest avoid
> > defining it.  That is, the policy needed concern it self with
> > how a server records the history to enforce the policy.  It
> > just needs to enforce the policy.
>
> Agreed.  The policy should say if "pwdHistory"  in on or off to
> tell the server to keep a history or not.

This is the pwdKeepHistory in the pwdPolicy object.

By not describing the pwdHistory attribute type, we will hit some
interoperability problems with heterogeneous replicated environment
(multi-master replication with different vendors servers).
The pwdHistory attribute needs to be replicated and all servers need to
know how to check a password against the history. Therefore, we need to
specify how it looks like.

Ludovic.

>

>
>
> /prasanta
>
> >
> >
> > Kurt
> >
> > ----
> > Kurt D. Zeilenga                <kurt@boolean.net>
> > Net Boolean Incorporated        <http://www.boolean.net/>

--
Ludovic Poitou
Sun Microsystems Inc.
Sun-Netscape Alliance - Directory Group - Grenoble - France