[Date Prev][Date Next] [Chronological] [Thread] [Top]

some comments on draft-behera-ldap-password-policy-04.txt

To: <ietf-ldapext@netscape.com>
Subject: some comments on draft-behera-ldap-password-policy-04.txt
From: "Keutel Jochen" <mlists@keutel.de>
Date: Fri, 19 Oct 2001 10:55:00 +0100

Hello,
  I have some comments on draft-behera-ldap-password-policy-04.txt .
I've sent them already to the authors - now I was told
that it could be a good idea to send it also to ietf-ldapext mailing list.

Here it is:

-----------------
1.
4.2.1 - pwdAttribute:

Why is the syntax DirectoryString - and not objectIdentifier
(1.3.6.1.4.1.1466.115.121.1.38)?
I think it would be better to store the OID in this attribute - not
the LDAP string format of the attribut.
Reason: The LDAP string format of an attribute is not unique.
This could cause problems e.g. with replication - and interworking in
general.

2.
impact on X.500?

There are products around which support LDAP and X.500 protocols (esp. DAP).
Users can use both protocols to bind to the directory (and to modify
entries).
So applying these password policy rules only onto LDAP doesn't really help.

If applying these rules also onto DAP:
What about the additional "error codes" (controls)
in Bind responses, Modify Responses etc.?
Does the X.500 standard series (esp. X.511) have
to be changed?

I think at least this problem should be mentioned in this standard.

3.
RFC2307

You mention RFC2307 in the chapter "References". I cant' find any
reference in the text before ...
Question: Are you planning to obsolete RFC2307 by your standard?
If not: You should add some comments how to deal with both RFCs.

E.g. there are products around using the NIS schema (RFC2307); one example
is the Axent Raptor firewall (6.5 - now Symantec), others could be UNIX-
PAM-modules etc. Also in this RFC2307 schema there are fields handling
password policies, e.g.

shadowLastChange
shadowMin
shadowMax
shadowWarning
shadowInactive
shadowExpire

4.
4.3.6 pwdGraceUseTime

   This attribute holds the timestamps of grace login once a password
   has expired.

   (  1.3.6.1.4.1.42.2.27.8.1.21
      NAME 'pwdGraceUseTime'
      DESC 'The timestamps of the grace login once the password has
      expired'
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
      EQUALITY generalizedTimeMatch
      SINGLE-VALUE
      USAGE directoryOperation)
---

If this attribute shall hold timestamps (one or more) it should be
multi-valued instead of single-valued.

--------------

Regards,

Jochen.

---
Dr. Jochen Keutel
Wusterhausener Str. 8
15732 Eichwalde
+49 30 678 19189
+49 177 6572720
jochen@keutel.de
(Directory and Security Consulting)

Prev by Date: Find Dead Beats
Next by Date: Need a Home Loan? Let Us Help!
Index(es):
- Chronological
- Thread