Regarding replication, I favor allowing implementations to solve their
own consistency problems. A highly usable implementation would allow
for any state attribute to be configured for different levels of
replication consistency (from "never replicated", to whatever the
highest level of consistency available is). This way the admin can
decide how consistently the state data is replicated.
I guess what I'm saying is that I see this as a replication problem in
general, and would rather not solve this level of replication problems
in the password policy I-D by defining multiple sets of attributes and
specifying different grades of replication requirements for each. I do
think it's reasonable to address problems of loose consistency — which
is what caused the use of time to be used for things like failure count.
Jim
>>> Howard Chu <hyc@highlandsun.com> 2/23/05 9:11:53 PM >>>
John McMeeking wrote:
> I've had some recent requests for some sort of "last login time"
attribute
> or a "unused account" policy so that accounts can be disabled if
they have
> not been used for 6 months. Would either of these be appropriate for the
> password policy draft?
Both of those sound like good things to have, and it does seem to tie in
to the rest of the password policy features. There would still be
replication issues here.
It seems to me that one solution to these replicated state attributes
may be to define a second set of attributes - one that is DSA-specific,
never implicitly replicated, and another one that serves as an aggregate
for a collection of servers. Then one can specify policies for each set
independently, e.g., "number of failed attempts" on a single DSA vs
across the network. Sites that require total accountability could set a
policy implementing counts across all replicas, other sites that want to
avoid the overhead of maintaining centralized counts could set a policy
using only dsa-specific attributes.
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
_http://www.symas.com <http://www.symas.com/>_
_http://highlandsun.com/hyc_
Symas: Premier OpenSource Development and Support
_______________________________________________
Ldapext mailing list
_Ldapext@ietf.org <mailto:Ldapext@ietf.org>_
_https://www1.ietf.org/mailman/listinfo/ldapext_
------------------------------------------------------------------------
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext