[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed

To: "'Volpers, Helmut'" <helmut.volpers@siemens.com>
Subject: RE: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed
From: "Andrew Sciberras" <andrews@adacel.com.au>
Date: Thu, 20 Nov 2003 09:22:53 +1100
Cc: "Ldapext \(E-mail\)" <ldapext@ietf.org>, "'John McMeeking'" <jmcmeek@us.ibm.com>
Importance: Normal
In-reply-to: <D1533D42A5A9D511A8090050DA3D8357844390@pappel.asw.mchp.siemens.de>

Hi,


>-----Original Message-----
>From: ldapext-admin@ietf.org [mailto:ldapext-admin@ietf.org]On Behalf Of
Volpers, Helmut
>Sent: Thursday, 20 November 2003 2:32
>
>Hi,
>
>I agree with John. The draft should distinguish between clients which
>provides the password policy request control and clients which
>don't support
>this.


Generally I agree with this point. I think it is sensible, as a security
precaution, to fail binds if the directory cannot be certain that the client
would understand the scope in which it is allowing the bind to proceed.
Compare operations should fail aswell.

In principal, I think that any client that cannot handle a password policy
response control should not be interacting with a password policy enabled
directory.
If the client is unable to interpret the contents of the control, they've
got a lot more than the changeAfterReset dilemma to worry about. Each of the
errors and warnings
	* timeBeforeExpiration,
	* graceLoginsRemaining,
	* passwordExpired,
	* acocuntLocked,
	* changeAfterReset,
	* passwordModNotAllowed,
	* mustSupplyOldPassword,
	* invalidPasswordSyntax,
	* passwordTooShort,
	* passwordTooYoung,
	* passwordInHistory
provide vital information as to why the directory is not ( or will not in
the future) be behaving according to the "normal" LDAP protocol rules.
It is simply pointless enforcing a password policy and having unaware
clients interacting with the system.


My overall view is that the server must fail binds and compares if pwdReset
is true and it does not think that the client could handle a response
control. (Still not sure about the search operation. Any suggestions ???).
It must handle binds and compares normally if the client has indicated that
they are able to handle a response control.
This requires a few changes to be made:
* Clear statement that clients MUST provide a request control if they want
the password policy to apply normally
* Clear statement that the server will be basing its opinion on whether a
client supports the password policy on whether the client has provided a
request control.
* Mandating that the server must return a response control (in an erroneous
or warning situation) when the client has sent one



Cheers,
Andrew Sciberras.

P.S.
Please let me know if a new version of this draft is due to be made, I have
some other suggestions that I'd like to make. Thanks.



_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed
  - From: Ludovic Poitou <ludovic.poitou@Sun.COM>
- Re: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed
  - From: Michael Ströder <michael@stroeder.com>

References:
- RE: [ldapext] draft-behera-ldap-password-policy - bind behavior w hen pwd must be changed
  - From: "Volpers, Helmut" <helmut.volpers@siemens.com>

Prev by Date: RE: [ldapext] draft-behera-ldap-password-policy - bind behavior w hen pwd must be changed
Next by Date: Re: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed
Index(es):
- Chronological
- Thread