[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed

Andrew,

I've started editing the new version of the ID. Feel free to post your suggestions.
One of the comments that was made to me about the draft is about error results returned in the control. The question was whether we should create new LDAP Result codes or keep these in the Password Policy control. I think that most of them can be considered as sub-results of typical LDAP results. But the recent discussion let me believe that some errors could be new LDAP Result code and not returned in the Control. Still needs full analysis though.

Ludovic.

Andrew Sciberras wrote:

Hi,




-----Original Message-----
From: ldapext-admin@ietf.org [mailto:ldapext-admin@ietf.org]On Behalf Of


Volpers, Helmut


Sent: Thursday, 20 November 2003 2:32

Hi,

I agree with John. The draft should distinguish between clients which
provides the password policy request control and clients which
don't support
this.




Generally I agree with this point. I think it is sensible, as a security
precaution, to fail binds if the directory cannot be certain that the client
would understand the scope in which it is allowing the bind to proceed.
Compare operations should fail aswell.

In principal, I think that any client that cannot handle a password policy
response control should not be interacting with a password policy enabled
directory.
If the client is unable to interpret the contents of the control, they've
got a lot more than the changeAfterReset dilemma to worry about. Each of the
errors and warnings
	* timeBeforeExpiration,
	* graceLoginsRemaining,
	* passwordExpired,
	* acocuntLocked,
	* changeAfterReset,
	* passwordModNotAllowed,
	* mustSupplyOldPassword,
	* invalidPasswordSyntax,
	* passwordTooShort,
	* passwordTooYoung,
	* passwordInHistory
provide vital information as to why the directory is not ( or will not in
the future) be behaving according to the "normal" LDAP protocol rules.
It is simply pointless enforcing a password policy and having unaware
clients interacting with the system.


My overall view is that the server must fail binds and compares if pwdReset
is true and it does not think that the client could handle a response
control. (Still not sure about the search operation. Any suggestions ???).
It must handle binds and compares normally if the client has indicated that
they are able to handle a response control.
This requires a few changes to be made:
* Clear statement that clients MUST provide a request control if they want
the password policy to apply normally
* Clear statement that the server will be basing its opinion on whether a
client supports the password policy on whether the client has provided a
request control.
* Mandating that the server must return a response control (in an erroneous
or warning situation) when the client has sent one



Cheers,
Andrew Sciberras.

P.S.
Please let me know if a new version of this draft is due to be made, I have
some other suggestions that I'd like to make. Thanks.



_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext



--
Ludovic Poitou
Directory Architect.
Directory Server Group, Grenoble, France
Sun Microsystems Inc.

Sun Microsystems requires the following notice:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTICE:  This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged
information.  Any unauthorized review, use, disclosure or
distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply email and destroy
all copies of the original message.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext