|
I believe the intent (however wrongly formulated) was to allow the user to receive a warning no matter what. Even if the password's max age has passed, the user would be allowed pwdExpireWarning seconds to change the pwd. The definition of pwdExpireWarning talks about this in a not very precise way (The number of seconds before the password will expire after the user is first warned of its upcoming expiration.)
Some history to help make sense of things:
The password policy I-D was created as a blend of the (then) Netscape and Novell directory password policies.
I believe the original implementors of pwdExpireWarning (Netscape) used this to both warn of expiration, and also allow some kind of grace login period.
Novell's implementation didn't include the notion of a warning period. Only a number of grace logins.
So now we have two ways of achieving 'grace login'.
A better way of specifying the pwdExpireWarning and pwdMaxAge concepts would have been to use one attribute to specify an age at which an expiration warning is sent, and another attribute specified how long these warnings will continue before the password finally expires.
I dislike having two similar but different grace mechanisms, so I propose that we remove pwdExpireWarned, and expire the password when it reaches pwdMaxAge (regardless of whether any warnings have been sent).
I'll update the I-D to reflect this without debate (because the deadline is so near), and we can go from there.
Jim
>>> Andrew Sciberras <andrew.sciberras@eB2Bcom.com> 9/14/04 7:48:25 PM >>> Hi Niel, Neil Dunbar wrote: <SNIP> > The pwdMaxAge should be the absolute maximum time that the password can > be used by anyone as a credential. The pwdExpirationWarning time, I > think, should be the earliest opportunity that the directory server can > warn the user that his/her password is approaching expiry. If the user > comes into the expiry period late in the game - tough. You can always > use the grace logins feature to allow the user with the dud password to > change it after it has ceased to be a meaningful credential for general > directory operations </SNIP> If someone was to implement the draft in its current form, their first warning time would indicate the time difference between the current time and the time that the password is due to expire. Subsequent logins would result in a warning time that will go beyond the specified pwdMaxAge allowing the user to receive their full warning period. Our implementation, which was based around the -05 version of the draft handled this inconsistency by returning an initial warning message of pwdExpireWarning. I've now noticed, in version -07 of the draft, that the following new line exists within the description of pwdExpireWarning: If not 0, the value must be smaller than the value of the pwdMaxAge attribute. This seriously implies that the author's intention is to ensure that the warning time does not exceed the maximum age of the password. I'm not extremely passionate about whether a user should receive their full warning period. Some consensus on this issue, and the author's opinion (Jim?) would be good though. Andrew Sciberras eB2Bcom - Software Engineer |
_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext