Re: [ldapext] draft-behera-ldap-password-policy - last login time

[Howard Chu <hyc@highlandsun.com>]

John McMeeking wrote:

> I've had some recent requests for some sort of "last login time" attribute
> or a "unused account" policy so that accounts can be disabled if they have
> not been used for 6 months.  Would either of these be appropriate for the
> password policy draft?

Both of those sound like good things to have, and it does seem to tie in 
 to the rest of the password policy features. There would still be 
replication issues here.

It seems to me that one solution to these replicated state attributes 
may be to define a second set of attributes - one that is DSA-specific, 
never implicitly replicated, and another one that serves as an aggregate 
for a collection of servers. Then one can specify policies for each set 
independently, e.g., "number of failed attempts" on a single DSA vs 
across the network. Sites that require total accountability could set a 
policy implementing counts across all replicas, other sites that want to 
avoid the overhead of maintaining centralized counts could set a policy 
using only dsa-specific attributes.

--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext