[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed

To: andrews@adacel.com.au
Subject: Re: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
From: Ludovic Poitou <ludovic.poitou@Sun.COM>
Date: Wed, 19 Nov 2003 09:52:03 +0100
Cc: 'Michael Ströder' <michael@stroeder.com>, "Ldapext (E-mail)" <ldapext@ietf.org>
In-reply-to: <029f01c3ae1a$858403b0$a618200a@mtwav.adacel.com.au>
Organization: SUN Microsystems
References: <029f01c3ae1a$858403b0$a618200a@mtwav.adacel.com.au>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007

Hi Andrew,

Your assumptions are reasonable and similar to mines.
I will add text to the ID to remove the ambiguities.

Ludovic.

Andrew Sciberras wrote:

Hi,

I fully agree with John's analysis.


Thats cool, although I think my differing opinion comes from a certain level
of ambiguity within the draft.

The decription of pwdMustChange is :
"This attribute specifies with a value of "TRUE" that users must change
their passwords when they first bind to the directory after a password is
set or reset by the administrator."

And pwdReset is:
"This attribute holds a flag to indicate (when TRUE) that the password has
been reset and therefore must be changed by the user on first
authentication"

The problems are:
* Administrator is never defined
* The draft never states when the pwdReset value should be set to TRUE
* The draft doesn't account for the scenario of a reset password (ie.
pwdReset == TRUE) being changed by an Administrator again.


The assumptions i've taken from the draft, into my implemntation, is:
* An administrator is anyone with the power to change the user's password,
who isn't the user.
* If a password, which is being governed by a pwdMustChange policy, is
changed by my definition of an administrator then the pwdReset value will be
set to TRUE.
* If an administrator change dthe password again, the pwdReset value will
still be TRUE.


My implementation was based on my assumptions. And im my implementation, the
only way your going to get rid of that pwdReset value of TRUE is for the
user to change the password themselves, which requires a bind operation.

The only way that I can see your proposed solution working is if you and
other implementations have made different assumptions as to what an
administrator  is.
If this is the case, then I think we should aim to remove this level of
ambiguity from the draft.

Catch,
Andrew Sciberras.

Ciao, Michael.

_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext


--
Ludovic Poitou
Directory Architect.
Directory Server Group, Grenoble, France
Sun Microsystems Inc.

Sun Microsystems requires the following notice:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTICE:  This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information.  Any unauthorized review, use, disclosure or
distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply email and destroy
all copies of the original message.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- RE: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
  - From: "Andrew Sciberras" <andrews@adacel.com.au>

Prev by Date: Re: [ldapext] draft-zeilenga-ldap-adlist-06.txt
Next by Date: Re: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
Index(es):
- Chronological
- Thread