[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] draft-behera-ldap-password-policy - operational attrs

To: andrew.sciberras@eB2Bcom.com
Subject: Re: [ldapext] draft-behera-ldap-password-policy - operational attrs
From: Howard Chu <hyc@highlandsun.com>
Date: Fri, 29 Apr 2005 08:56:22 -0700
Cc: Duane Buss <DBuss@novell.com>, ldapext@ietf.org, Tammy Green <TGREEN@novell.com>, Ludovic Poitou <Ludovic.Poitou@Sun.COM>, Zhanna Tsitkova <ZTsitkova@novell.com>, Jim Sermersheim <jimse@novell.com>
In-reply-to: <427255BA.1080800@eB2Bcom.com>
References: <s26f4df9.041@sinclair.provo.novell.com> <42700F0B.1060406@eB2Bcom.com> <4272537E.1000303@sun.com> <427255BA.1080800@eB2Bcom.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050419

Andrew Sciberras wrote:

I suppose I should note that I have intentionally omitted pwdReset from the attributes that require NO-USER-MODIFICATION. This is due to the fact that I believe an administrator should be able to modify this value at their discretion to force a user to change their password.


Understood. I'm in agreement there too.

Andrew Sciberras.
Ludovic Poitou wrote:
I also agree.
Ludovic.
Andrew Sciberras wrote:
Hi
Jim Sermersheim wrote:
While I worry a bit about your implementation (though it's not really my place to), I agree with your final assessment, we should change these to NO-USER-MODIFICATION. Anyone disagree?
This sounds alright to me. Since we're actually making some the the state attributes NO-USER-MODIFICATION, perhaps we should look at the others as well. I'm thinking that pwdAccountLockedTime, pwdFailureTime and pwdPolicySubentry should also be included in this list.

Jim
Andrew.
 >>> Howard Chu <hyc@highlandsun.com> 4/26/05 8:41 AM >>>
I kept meaning to raise this question, but it seems to have fallen thru
the cracks. For the OpenLDAP implementation, I needed to change these
operational attributes to NO-USER-MODIFICATION:
pwdChangedTime, pwdGraceUseTime, and pwdHistory
We have a problem because of the way we process a password change - if a user is changing their own password, that Modify request is performed using the user's identity. To do bookkeeping on the above operational attributes, we internally append some modify operations to the user's Modify request, and then the augmented request is passed down to the usual Modify processing. One other factor in our implementation is that user-modifiable attributes are subject to ACL checks, non-modifiable attributes are not. So, userPassword is user-modifiable, and typically users are given permission to write their own password. But they shouldn't have permission to write the above three attributes, because then they can just bypass a lot of the policies that rely on those attributes.
So with the default definitions, we have a problem because the user may
have permission to update the userPassword attr, but no permissions to
the other attrs.
Alternatively we can break things up into two separate Modify operations, doing the user's original request and then using system privileges to handle the bookkeeping, but I'm not keen on that approach. It introduces some lag in a replication scenario, where the password change itself will get replicated separately from the bookkeeping update.

Fundamentally I believe NO-USER-MODIFICATION is appropriate for these attributes. Issues with our implementation can be worked around, but I'd rather clear this up regardless.

-- -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun _http://www.symas.com <http://www.symas.com/>_ _http://highlandsun.com/hyc_ Symas: Premier OpenSource Development and Support
_______________________________________________
Ldapext mailing list
_Ldapext@ietf.org <mailto:Ldapext@ietf.org>_
_https://www1.ietf.org/mailman/listinfo/ldapext_
------------------------------------------------------------------------
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

References:
- Re: [ldapext] draft-behera-ldap-password-policy - operational attrs
  - From: "Jim Sermersheim" <jimse@novell.com>
- Re: [ldapext] draft-behera-ldap-password-policy - operational attrs
  - From: Andrew Sciberras <andrew.sciberras@eB2Bcom.com>
- Re: [ldapext] draft-behera-ldap-password-policy - operational attrs
  - From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>
- Re: [ldapext] draft-behera-ldap-password-policy - operational attrs
  - From: Andrew Sciberras <andrew.sciberras@eB2Bcom.com>

Prev by Date: Re: [ldapext] draft-behera-ldap-password-policy - operational attrs
Index(es):
- Chronological
- Thread