[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed

To: John McMeeking <jmcmeek@us.ibm.com>
Subject: Re: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
From: Dejan Muhamedagic <dejan@hello-penguin.com>
Date: Wed, 19 Nov 2003 16:00:19 +0100
Cc: ldapext@ietf.org
Content-disposition: inline
In-reply-to: <OFA30AF1A5.73BC39EB-ON86256DE3.004C2CC0-86256DE3.004E28E1@us.ibm.com>
References: <OFA30AF1A5.73BC39EB-ON86256DE3.004C2CC0-86256DE3.004E28E1@us.ibm.com>
User-agent: Mutt/1.3.23i

John,

On Wed, Nov 19, 2003 at 08:13:42AM -0600, John McMeeking wrote:
> 
[snip]
>
> What I feel is lacking in the draft is the distinction between a client
> that provides the password policy request control and a client that does
> not.
> - If no password policy control is present, a bind with a reset password
> should fail
> - If a password policy is present, a bind with a reset password should
> succeed with a reponse control returned as is currently stated in the
> draft.

How can LDAP server tell if the client supports password policy or
not?  All it knows is that they want to bind.

I agree that the security policy should be enforced at the server
and not at the client, but in this case we have no means to do
that without "breaking" clients which don't know how to read the
policy.

Cheers,

Dejan

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- RE: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
  - From: John McMeeking <jmcmeek@us.ibm.com>

Prev by Date: RE: [ldapext] draft-behera-ldap-password-policy - bind behavior when pwd must be changed
Next by Date: RE: [ldapext] draft-behera-ldap-password-policy - bind behavior w hen pwd must be changed
Index(es):
- Chronological
- Thread