[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Re: Password Policy for LDAP Directories




Sounds good to me.


John  McMeeking


ldapext-bounces@ietf.org wrote on 10/24/2004 12:34:36 AM:

> I believe the intent (however wrongly formulated) was to allow the
> user to receive a warning no matter what. Even if the password's max
> age has passed, the user would be allowed pwdExpireWarning seconds
> to change the pwd. The definition of pwdExpireWarning talks about
> this in a not very precise way (The number of seconds before the
> password will expire after the user is first warned of its upcoming
> expiration.)
>
> Some history to help make sense of things:
>
> The password policy I-D was created as a blend of the (then)
> Netscape and Novell directory password policies.
>
> I believe the original implementors of pwdExpireWarning (Netscape)
> used this to both warn of expiration, and also allow some kind of
> grace login period.
> Novell's implementation didn't include the notion of a warning
> period. Only a number of grace logins.
>
> So now we have two ways of achieving 'grace login'.
>
> A better way of specifying the pwdExpireWarning and pwdMaxAge
> concepts would have been to use one attribute to specify an age at
> which an expiration warning is sent, and another attribute specified
> how long these warnings will continue before the password finally
expires.
>
> I dislike having two similar but different grace mechanisms, so I
> propose that we remove pwdExpireWarned, and expire the password when
> it reaches pwdMaxAge (regardless of whether any warnings have been sent).
>
> I'll update the I-D to reflect this without debate (because the
> deadline is so near), and we can go from there.
>
> Jim
>
> >>> Andrew Sciberras <andrew.sciberras@eB2Bcom.com> 9/14/04 7:48:25 PM
>>>
> Hi Niel,
>
>
> Neil Dunbar wrote:
> <SNIP>
> > The pwdMaxAge should be the absolute maximum time that the password can
> > be used by anyone as a credential. The pwdExpirationWarning time, I
> > think, should be the earliest opportunity that the directory server can
> > warn the user that his/her password is approaching expiry. If the user
> > comes into the expiry period late in the game - tough. You can always
> > use the grace logins feature to allow the user with the dud password to
> > change it after it has ceased to be a meaningful credential for general
> > directory operations
> </SNIP>
>
>
> If someone was to implement the draft in its current form, their first
> warning time would indicate the time difference between the current time
> and the time that the password is due to expire. Subsequent logins would
> result in a warning time that will go beyond the specified pwdMaxAge
> allowing the user to receive their full warning period.
>
> Our implementation, which was based around the -05 version of the draft
> handled this inconsistency by returning an initial warning message of
> pwdExpireWarning.
>
> I've now noticed, in version -07 of the draft, that the following new
> line exists within the description of pwdExpireWarning:
> If not 0, the value must be smaller than the value of the pwdMaxAge
> attribute.
>
> This seriously implies that the author's intention is to ensure that the
> warning time does not exceed the maximum age of the password.
>
> I'm not extremely passionate about whether a user should receive their
> full warning period. Some consensus on this issue, and the author's
> opinion (Jim?) would be good though.
>
>
> Andrew Sciberras
> eB2Bcom - Software
Engineer_______________________________________________
> Ldapext mailing list
> Ldapext@ietf.org
> https://www1.ietf.org/mailman/listinfo/ldapext


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext