|
Correct (sort of). It will be (pwdChangedTime + pwdMaxAge) - current time.
Jim
>>> Gabriele Garuglieri <gabriele.garuglieri@infoblu.it> 10/27/04 12:09:46 AM >>> Hi all, i agree with that, it make sense. I think this imply that when we are in the pwdExpireWarning period, the PasswordPolicyResponseValue, timeBeforeExpiration will always have the predictable value of pwdMaxAge - current time, does it? Regards, Gabriele. Jim Sermersheim wrote: > I believe the intent (however wrongly formulated) was to allow the > user to receive a warning no matter what. Even if the password's max > age has passed, the user would be allowed pwdExpireWarning seconds to > change the pwd. The definition of pwdExpireWarning talks about this in > a not very precise way (The number of seconds before the password will > expire after the user is first warned of its upcoming expiration.) > > Some history to help make sense of things: > > The password policy I-D was created as a blend of the (then) Netscape > and Novell directory password policies. > > I believe the original implementors of pwdExpireWarning (Netscape) > used this to both warn of expiration, and also allow some kind of > grace login period. > Novell's implementation didn't include the notion of a warning period. > Only a number of grace logins. > > So now we have two ways of achieving 'grace login'. > > A better way of specifying the pwdExpireWarning and pwdMaxAge concepts > would have been to use one attribute to specify an age at which an > expiration warning is sent, and another attribute specified how long > these warnings will continue before the password finally expires. > > I dislike having two similar but different grace mechanisms, so I > propose that we remove pwdExpireWarned, and expire the password when > it reaches pwdMaxAge (regardless of whether any warnings have been sent). > > I'll update the I-D to reflect this without debate (because the > deadline is so near), and we can go from there. > > Jim > > >>> Andrew Sciberras < andrew.sciberras@eB2Bcom.com > 9/14/04 7:48:25 PM >>> > Hi Niel, > > > Neil Dunbar wrote: > <SNIP> > > The pwdMaxAge should be the absolute maximum time that the password can > > be used by anyone as a credential. The pwdExpirationWarning time, I > > think, should be the earliest opportunity that the directory server can > > warn the user that his/her password is approaching expiry. If the user > > comes into the expiry period late in the game - tough. You can always > > use the grace logins feature to allow the user with the dud password to > > change it after it has ceased to be a meaningful credential for general > > directory operations > </SNIP> > > > If someone was to implement the draft in its current form, their first > warning time would indicate the time difference between the current time > and the time that the password is due to expire. Subsequent logins would > result in a warning time that will go beyond the specified pwdMaxAge > allowing the user to receive their full warning period. > > Our implementation, which was based around the -05 version of the draft > handled this inconsistency by returning an initial warning message of > pwdExpireWarning. > > I've now noticed, in version -07 of the draft, that the following new > line exists within the description of pwdExpireWarning: > If not 0, the value must be smaller than the value of the pwdMaxAge > attribute. > > This seriously implies that the author's intention is to ensure that the > warning time does not exceed the maximum age of the password. > > I'm not extremely passionate about whether a user should receive their > full warning period. Some consensus on this issue, and the author's > opinion (Jim?) would be good though. > > > Andrew Sciberras > eB2Bcom - Software Engineer -- °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° ° Gabriele Garuglieri ° ° Infoblu S.p.A ° ° c/o Nuovo Centro Direzionale ° ° Autostrade // per l'Italia ° ° svincolo autostradale Firenze Nord ° ° 50013 Campi Bisenzio - Firenze ° ° ======================================== ° ° email: gabriele.garuglieri@infoblu.it ° ° phone: +390554202832 ° °°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°° |
_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext