Re: [ldapext] Password Policy OIDs

[Howard Chu <hyc@highlandsun.com>]

Neal-Joslin, Robert (HP-UX Lab R&D) wrote:
> Hi John,
>
> Yes, that is roughly it.  See in-line.

> > Its looks more to me like what Bob really was after was a 
> > policy attribute
> > that could be used to describe any rule -- assuming the 
> > server understood
> > it.
> >
> > In that light, maybe my suggestion was a bit off the mark - 
> > or at least a
> > quite different approach to the problem.  I think it would be quite
> > reasonable to define a multi-valued attribute, say pwdPolicyRule, that
> > consisted of three parts:
> > - name for this rule instance
> > - OID for the rule it describes (server must implement this rule &
> > advertise it?)
> > - parameters for the rule, perhaps in some XML format - or 
> > maybe the whole
> > attribute in XML.

In general I dislike adding any feature in LDAP that is not itself also 
manageable by LDAP. But it appears that there may be no other choice 
here. For the Password Policy prototype that Neil Dunbar @ HP wrote, he 
added an attribute specifying the name of an external executable program 
to be used to validate the password. That punts the problem, but you can 
no longer view your entire policy with just an LDAP search, you need 
external knowledge.

With respect to external dictionaries, I'd say just use LDAP search URLs 
and require the dictionary to exist as an LDAP entry.

> XML would be fine, especially for readability.  And XML format probably should be recommended.  But I like the option of leaving the encoding up to the implementer.  We're assuming that XML would suit everyone's needs.  More importantly, the I would argue that we can't come up with a single DTD.

XML is ok for representing data. But when you are talking about a 
collection of rules and behaviors, what you're talking about is really a 
program, and what would be best here would be a scripting language. perl 
 would be well suited to the task, and I'm sure there are others.

> > The attribute would use something like a "policy rule name" 
> > matching rule -
> > i.e. each pwdPolicyRule value must have a unique name.  This 
> > would allow
> > multiple instances of a given rule OID.
> >
> > A combination of required chars and excluded character 
> > policies might look
> > like (pardon my XML):
> >
> > # requires 2 special characters, 1 from each of these sets:
> > pwdPolicyRule: rule1 requiredchars-oid <rule count="1" chars="!@#$" />
> > pwdPolicyRule: rule2 requiredchars-oid <rule count="1" chars="%^&" />
> > # vowels not allowed
> > pwdPolicyRule: rule3 excludedchars-oid <rule chars="aeiouAEIOU" />
> >
> > I suppose a better version might be:
> > pwdPolicyRule: <excludedCharsRule name="rule3" chars="aeiouAEIOU" />
>
> As I hinted in my last message, we may need an optional "Required Rule" field.  For example, let's suppose I want to encode the following policy...
>
> "Password must have at least 4 characters and not be in a dictionary.  It must also contain 3 of the following: 1 upper case character, 1 lower case character, 1 character of '!@#$%^&*()_+=[]-' or 1 numeric digit.
>
> To encode this, I would need a way to specify that "min 4" and "not in dictionary" are required.  And in addition, I would need a rule that says at least 3 of the "non-required" rules must pass.
>
> Yes, this is getting ugly.  And I don't want to hinder the progress of the pwd-policy draft.

--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext