[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed

To: John McMeeking <jmcmeek@us.ibm.com>
Subject: Re: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
From: Ludovic Poitou <ludovic.poitou@Sun.COM>
Date: Sat, 15 Nov 2003 00:12:28 +0100
Cc: ldapext@ietf.org
In-reply-to: <OF5E2A74AA.0C607031-ON86256DDE.0072EACD-86256DDE.007402F4@us.ibm.com>
Organization: SUN Microsystems
References: <OF5E2A74AA.0C607031-ON86256DDE.0072EACD-86256DDE.007402F4@us.ibm.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007

John McMeeking wrote:

As I read this draft, if the password must be changed (after reset), the
bind is successful, even if the client does not include the password policy
request control.  This seems like a problem when the LDAP server is used
only for authentication.  I would think that a bind in that case should
fail -- on the assumption that there is a password policy aware application
that can be used to change the password.  Otherwise, the user can continue
to authenticate successfully, which seems to be in violation of the intent
of the policy.

Good remark.

Should the bind procedure be changed to fail if the password must be changed because of being reset when there is no password policy control? And succeed, with the warning, if the control is present?

I'd be tempted to say yes. I also concur that this should be a SHOULD. I believe that it will take a while before all clients use the password policy controls on all bind operations.

I will update the draft to discuss this issue and provide some recommandations.

Thanks for your comments,

Ludovic.

I'd be tempted
to say even then it should fail, but I'm not sure if clients like JNDI
would be able to handle a control on a failure.  Or at least this concern
discussed, possibly with the recommendation that servers should provide a
means to chose this behavior?
John  McMeeking
_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext


--
Ludovic Poitou
Directory Architect.
Directory Server Group, Grenoble, France
Sun Microsystems Inc.

Sun Microsystems requires the following notice:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTICE:  This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information.  Any unauthorized review, use, disclosure or
distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply email and destroy
all copies of the original message.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
  - From: John McMeeking <jmcmeek@us.ibm.com>

Prev by Date: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
Next by Date: Re: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
Index(es):
- Chronological
- Thread