[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] draft-behera-ldap-password-policy - last login time

To: ldapext@ietf.org
Subject: Re: [ldapext] draft-behera-ldap-password-policy - last login time
From: John McMeeking <jmcmeek@us.ibm.com>
Date: Thu, 24 Feb 2005 19:03:02 -0600
In-reply-to: <s21d0ad2.082@sinclair.provo.novell.com>




I can't say I'm raising my hand to author a draft, but I agree that this is
rather outside the realm of the current password policy and might be better
managed in a separate draft.

It seems that at least a few people think this is the kind of thing a
directory server would reasonably be expected to support.  Next question is
whether this kind of thing needs to be done in a standard way.  Would we
expect application developers to be writing application that would need to
access these attributes or policies through LDAP?  If so, would these be
application that would typically be expected to need to support multiple
directory vendors with minimal tailoring?  Or would they be in-house
applications that need only work with the user's current directory?

John  McMeeking


"Jim Sermersheim" <jimse@novell.com> wrote on 02/23/2005 11:59:12 PM:

> Occasionally we hear requests to add new policy to that draft which
> squarely lands in the realm of "login" policy, and other times we
> get requests to remove policy like intruder detection as it has more
> to do with logging in than management of passwords (though it kind
> of leaks into both areas).
>
> Usually though, consensus seems to point to putting login policy
> into a draft of its own. This could also contain things like maximum
> concurrent logins and allowed login times.
>
> If someone could author that I-D, we could possibly define intruder
> detection in a way that it could be consumed from a password modify
> perspective in the password policy I-D, and consumed from a password
> usage perspective in the login policy I-D.
>
> Or, maybe it would be best to glob everything into a single I-D (my
> feeling is this is worse). The problem I see currently is a lack of
> resources to push both of these areas of policy forward together in
> a coordinated way.
>
> Jim
>
>
> >>> John McMeeking <jmcmeek@us.ibm.com> 2/23/05 1:17:11 PM >>>
>
>
>
>
> I've had some recent requests for some sort of "last login time"
attribute
> or a "unused account" policy so that accounts can be disabled if they
have
> not been used for 6 months. Would either of these be appropriate for the
> password policy draft?
>
>
> John McMeeking
>
>
> _______________________________________________
> Ldapext mailing list
> Ldapext@ietf.org
> https://www1.ietf.org/mailman/listinfo/ldapext


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Prev by Date: Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
Next by Date: Re: [ldapext] draft-behera-ldap-password-policy - last login time
Index(es):
- Chronological
- Thread