Re: [ldapext] Password Policy OIDs

[Neil Dunbar <neil.dunbar@hp.com>]

On Fri, 2004-11-12 at 15:23 -0800, Howard Chu wrote:

> In general I dislike adding any feature in LDAP that is not itself also 
> manageable by LDAP. But it appears that there may be no other choice 
> here. For the Password Policy prototype that Neil Dunbar @ HP wrote, he 
> added an attribute specifying the name of an external executable program 
> to be used to validate the password. That punts the problem, but you can 
> no longer view your entire policy with just an LDAP search, you need 
> external knowledge.

Oh the out-of-band checker was never meant to be a permanent solution -
just a way of getting something in place.

> With respect to external dictionaries, I'd say just use LDAP search URLs 
> and require the dictionary to exist as an LDAP entry.

I like this idea - have a dictionary in the DIT.

Since we're into ppolicy wishlists. I'd like to see something in a
policy specification which states that the password can not contain
literal combinations of specified attributes. For example

pwdPolicyExcludedAttribute: cn
pwdPolicyExcludedAttribute: sn

meaning that the password can't contain the common name of the entry, or
the surname. And then the dictionary attribute becomes an LDAP search as
Howard suggests.

Cheers,

Neil


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext