[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed

To: andrews@adacel.com.au
Subject: Re: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed
From: Michael Ströder <michael@stroeder.com>
Date: Thu, 20 Nov 2003 19:51:39 +0100
Cc: "Ldapext (E-mail)" <ldapext@ietf.org>
In-reply-to: <032f01c3aeeb$adab2d10$a618200a@mtwav.adacel.com.au>
References: <032f01c3aeeb$adab2d10$a618200a@mtwav.adacel.com.au>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007

Andrew Sciberras wrote:


In principal, I think that any client that cannot handle a password policy
response control should not be interacting with a password policy enabled
directory.

The majority of LDAP clients cannot handle a password policy response control and judging from my personal experience I wouldn't bet that this will change any time soon.

If the client is unable to interpret the contents of the control, they've
got a lot more than the changeAfterReset dilemma to worry about. Each of the
errors and warnings
	* timeBeforeExpiration,
	* graceLoginsRemaining,
	* passwordExpired,
	* acocuntLocked,
	* changeAfterReset,
	* passwordModNotAllowed,
	* mustSupplyOldPassword,
	* invalidPasswordSyntax,
	* passwordTooShort,
	* passwordTooYoung,
	* passwordInHistory
provide vital information as to why the directory is not ( or will not in
the future) be behaving according to the "normal" LDAP protocol rules.


BindRequest should fail. That's it. Fine-grained error handling at the
client would be nice but won't be possible with the majority of LDAP
clients.

The server should provide an appropriate informational message in
LDAPResult.errorMessage though since most LDAP clients display or log this
message text. Yes, this is not perfect for client-side error handling but
it's common practice which somewhat helps in most situations.

* Clear statement that clients MUST provide a request control if they want
the password policy to apply normally


Are you saying here that the password policy should not be in effect if the
client does not provide a request control? Maybe I did get you wrong?

* Clear statement that the server will be basing its opinion on whether a
client supports the password policy on whether the client has provided a
request control.

+1

* Mandating that the server must return a response control (in an erroneous
or warning situation) when the client has sent one

+1

Ciao, Michael.

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- RE: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed
  - From: "Andrew Sciberras" <andrews@adacel.com.au>

References:
- RE: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed
  - From: "Andrew Sciberras" <andrews@adacel.com.au>

Prev by Date: [ldapext] Various Password Policy Comments
Next by Date: RE: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed
Index(es):
- Chronological
- Thread