[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Password Policy operational attributes

To: Ludovic Poitou <Ludovic.Poitou@Sun.COM>
Subject: Re: [ldapext] Password Policy operational attributes
From: Howard Chu <hyc@highlandsun.com>
Date: Mon, 22 Nov 2004 06:18:57 -0800
Cc: ldapext@ietf.org, Jim Sermersheim <jimse@novell.com>
In-reply-to: <41A1E72A.7080802@sun.com>
References: <s17e206c.043@sinclair.provo.novell.com> <41A1BA6E.9050307@highlandsun.com> <41A1E72A.7080802@sun.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041101

Ludovic Poitou wrote:

Draft 9 has not been published yet. Still working on it.
Adding the NO-USER-MODIFICATION keyword to the state information would prevent administrators to update the attributes for unlocking a user for example, and would probably require the introduction of a set of administration procedures for password policy management, such as unlocking a locked account ... The security considerations mention that ACI should be used to restrict access to the state attributes. I think that the security considerations need a little bit of work for clarification of the security issues and the recommandations.

OK, I guess I can understand that. But I don't think it's surprising to require a special administration procedure to directly manipulate these attributes. After all, in their normal operation, they are set completely automatically by directory-internal operations, so direct manipulation of their values could be viewed as an unusual/extraordinary occurrence.

There was also a question about whether a DSA should update an entry's modifiersName / modifyTimeStamp operational attributes whenever performing a Password Policy State Update. My opinion is no, since these are internal operations, but there's no explicit statement in the draft. The decision has some impact on replication, as some replication mechanisms might only propagate a change when they see a timestamp change.

Howard Chu wrote:
I vaguely recall someone mentioning that the policy schema would be updated again for draft 9, but I can't seem to find it in my mailbox now. (So was I just imagining it?) Anyway, it seems that the state information needs to be defined with NO-USER-MODIFICATION in order to serve its purpose, otherwise any user with write access to their own entry can circumvent most of the policies.

--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] Password Policy operational attributes
  - From: Howard Chu <hyc@highlandsun.com>
- Re: [ldapext] Password Policy operational attributes
  - From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>

Prev by Date: Re: [ldapext] Password Policy operational attributes
Next by Date: Re: [ldapext] Password Policy operational attributes
Index(es):
- Chronological
- Thread