[Date Prev][Date Next] [Chronological] [Thread] [Top]

[ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed

To: ldapext@ietf.org
Subject: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
From: John McMeeking <jmcmeek@us.ibm.com>
Date: Fri, 14 Nov 2003 15:07:08 -0600




As I read this draft, if the password must be changed (after reset), the
bind is successful, even if the client does not include the password policy
request control.  This seems like a problem when the LDAP server is used
only for authentication.  I would think that a bind in that case should
fail -- on the assumption that there is a password policy aware application
that can be used to change the password.  Otherwise, the user can continue
to authenticate successfully, which seems to be in violation of the intent
of the policy.

Should the bind procedure be changed to fail if the password must be
changed because of being reset when there is no password policy control?
And succeed, with the warning, if the control is present?  I'd be tempted
to say even then it should fail, but I'm not sure if clients like JNDI
would be able to handle a control on a failure.  Or at least this concern
discussed, possibly with the recommendation that servers should provide a
means to chose this behavior?


John  McMeeking


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
  - From: Ludovic Poitou <ludovic.poitou@Sun.COM>
- Re: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: [ldapext] draft-zeilenga-ldap-adlist-06.txt
Next by Date: Re: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
Index(es):
- Chronological
- Thread