[Date Prev][Date Next] [Chronological] [Thread] [Top]

[ldapext] Re: Password Policy for LDAP Directories

To: Gabriele Garuglieri <gabriele.garuglieri@infoblu.it>
Subject: [ldapext] Re: Password Policy for LDAP Directories
From: Andrew Sciberras <andrew.sciberras@eB2Bcom.com>
Date: Fri, 10 Sep 2004 09:28:49 +1000
Cc: Ldapext <ldapext@ietf.org>
In-reply-to: <41404559.9010604@infoblu.it>
Organization: eB2Bcom
References: <41404559.9010604@infoblu.it>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.2) Gecko/20040803

Hi Gabriele,

I too have noticed this strange calculation of the warning time and sent a comment to this mailing list on the 20th November 2003. A copy of this message can be found in the archives: http://www.openldap.org/lists/ietf-ldapext/200311/msg00027.html

Basically, at the end of the day, our implementation will simply return the pwdExpireWarning as the first warning value.

My comments were made in regards to the -05 version of the draft. Currently the 'Password Policy for LDAP Directories' draft has expired so I am uncertain as to what the authors intend to do about this.

The solution to this is certainly consistency. There are two paths that you could go down: * Consistently expire at the MaxAge time, which is how you describe IBM's solution. * Always provide a warning time of pwdExpireWarning seconds.

I would argue that the way that the Tivoli Directory Server handles this is incorrect. It's my opinion, which also reflects our implementation, that the second option is preferable. For example, imagine that a server has the following rules: pwdMaxAge -> 500 seconds pwdExpireWarning -> 100 seconds

And the user logs on for the first time at t=495, then they should receive a whole 100 seconds to change their password, instead of the 5 seconds that the Tivoli Directory Server would provide.

Regards,
______________________________________
Andrew Sciberras
eB2Bcom - Software Engineer
EMail:    andrew.sciberras@eb2bcom.com
Web    http://www.eb2bcom.com

Gabriele Garuglieri wrote:

I 'm writing some java classes that are dealing with PasswordPolicyResponseValue and i'm having some doubts about the Behera draft. I'd be glad if someone could clarify the points that follow these two quotes from Behera draft: ------- 4.3.4 pwdExpirationWarned
  This attribute contains the time when the password expiration
  warning was first sent to the client. The password will expire in
  the pwdExpireWarning time.
-------
     D. Calculates whether the time before expiration warning should
        be sent.
        If the pwdExpireWarning attribute is present and contains a
        value, the server MUST perform the following steps.
            If the pwdExpirationWarned attribute is present and has a
            time value, the warning time is the value of the
            pwdExpirationWarned attribute plus the value of the
            pwdExpireWarning attribute minus the current time.
            If the pwdExpirationWarned attribute is not present, the
            server MUST subtract the current time from the time stored
            in pwdChangedTime to arrive at the password's age. If the
            age is greater than the value of the pwdMaxAge attribute
            minus the value of the pwdExpireWarning attribute, the
            server MUST set the current time as the value of the
            pwdExpirationWarned attribute, and the warning time is the
            value of pwdMaxAge minus the password's age.
-------
Reading the above i come to the following assumptions, please correct me if they are wrong:

1- the password will expire at (pwdExpirationWarned plus pwdExpireWarning) date. 2- the first time i bind within the warning period, when the pwdExpirationWarned is not yet initialized, the calculated warning time is equal to (pwdChangedTime plus pwdMaxAge) minus current time. 3- the second time i bind within the warning period, when the pwdExpirationWarned is already initialized, the calculated warning time is equal to (pwdExpirationWarned plus pwdExpireWarning) minus current time, which is a a value surely larger than the one calculated during the first bind.
The last two points have the following implications:
4- if i calculate the expiration date using the returned warning time i obtain two different values between first and any subsequent bind within the warning period, which i think is not very consistent. 5- the real expiration date can be extended well beyond the (pwdChangedTime plus pwdMaxAge), depending on when i first bind during the warning period, almost up to (pwdChangedTime plus pwdMaxAge plus pwdExpireWarning) if my fist bind within the warning period falls within the last usable second of (pwdChangedTime plus pwdMaxAge) time.

Last but least, i'm experimenting with Tivoli Directory server 5.1, whose behaviour seems to be happily ignoring all of the above, because the returned warning time, independently from any pwdExpirationWarned value, is ALWAYS (pwdChangedTime plus pwdMaxAge) minus current time. Can, please, someone shed some light on the correct Behera draft meaning?
Thanks, Gabriele.


--
_________________________________________
Andrew Sciberras
eB2Bcom - Software Engineer

Woodhouse Corporate Centre
Suite 3, 935 Station Street
Box Hill North, Victoria 3129, Australia

phone:	+61 3 9896 7833
fax: 	+61 3 9896 7801
mobile:	0412 098 771

EMail:	andrew.sciberras@eb2bcom.com
Web	http://www.eb2bcom.com


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Re: Password Policy for LDAP Directories
  - From: Neil Dunbar <neil.dunbar@hp.com>

Prev by Date: Re: [ldapext] Placement of DSETypes
Next by Date: Re: [ldapext] Re: Password Policy for LDAP Directories
Index(es):
- Chronological
- Thread