[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldap password policy approach
Prasanta Behera wrote:
> "Kurt D. Zeilenga" wrote:
>
> > At 08:12 PM 10/27/99 -0600, Jim Sermersheim wrote:
> > >What do you think?
> >
> > I concur that the password policy should be divorced from the
> > password storage. It's my view that, like RFC2251, the password
> > policy should not place any restrictions upon how servers store
> > credentials.
> >
> > As far as the pwdHistory attribute type, I would suggest avoid
> > defining it. That is, the policy needed concern it self with
> > how a server records the history to enforce the policy. It
> > just needs to enforce the policy.
>
> Agreed. The policy should say if "pwdHistory" in on or off to
> tell the server to keep a history or not.
This is the pwdKeepHistory in the pwdPolicy object.
By not describing the pwdHistory attribute type, we will hit some
interoperability problems with heterogeneous replicated environment
(multi-master replication with different vendors servers).
The pwdHistory attribute needs to be replicated and all servers need to
know how to check a password against the history. Therefore, we need to
specify how it looks like.
Ludovic.
>
>
>
> /prasanta
>
> >
> >
> > Kurt
> >
> > ----
> > Kurt D. Zeilenga <kurt@boolean.net>
> > Net Boolean Incorporated <http://www.boolean.net/>
--
Ludovic Poitou
Sun Microsystems Inc.
Sun-Netscape Alliance - Directory Group - Grenoble - France