[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] Password Policy OIDs
On Fri, 2004-11-12 at 15:23 -0800, Howard Chu wrote:
> In general I dislike adding any feature in LDAP that is not itself also
> manageable by LDAP. But it appears that there may be no other choice
> here. For the Password Policy prototype that Neil Dunbar @ HP wrote, he
> added an attribute specifying the name of an external executable program
> to be used to validate the password. That punts the problem, but you can
> no longer view your entire policy with just an LDAP search, you need
> external knowledge.
Oh the out-of-band checker was never meant to be a permanent solution -
just a way of getting something in place.
> With respect to external dictionaries, I'd say just use LDAP search URLs
> and require the dictionary to exist as an LDAP entry.
I like this idea - have a dictionary in the DIT.
Since we're into ppolicy wishlists. I'd like to see something in a
policy specification which states that the password can not contain
literal combinations of specified attributes. For example
pwdPolicyExcludedAttribute: cn
pwdPolicyExcludedAttribute: sn
meaning that the password can't contain the common name of the entry, or
the surname. And then the dictionary attribute becomes an LDAP search as
Howard suggests.
Cheers,
Neil
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext