RE: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed

["Andrew Sciberras" <andrews@adacel.com.au>]

>Michael Ströder wrote:
>
>BindRequest should fail. That's it.

I really believe that the compare should fail as well.
The description for the 'Compare Operation':
"The compare operation MAY be used to compare a password. This might
 be performed when a client wishes to verify that user's supplied
 password is correct. An example of this is an LDAP HTTP
 authentication redirector. It may be desirable to use this rather
 than performing a bind operation in order to reduce possible
 overhead involved in performing a bind."

Surely this is the exact scenario for which we are having this
discussion; a client using the directory to authenticate someone's
password to grant them access to another service.

>> * Clear statement that clients MUST provide a request
>> control if they want
>> the password policy to apply normally
>
>Are you saying here that the password policy should not be in
>effect if the
>client does not provide a request control? Maybe I did get you wrong?
>

I think my words just came out a little wrong.
I'm just saying that if a client does support the password policy control,
then they MUST provide it. Otherwise the directory may make some incorrect
assumptions about the client, which will lead to the password policy
not being enforced normally. Eg. Bind failing due to pwdReset, instead of
succeeding.

Andrew Sciberras.

>Ciao, Michael.
>


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext