[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Password Policy draft 9

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: [ldapext] Password Policy draft 9
From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>
Date: Fri, 02 Sep 2005 13:07:28 +0200
Cc: ldapext@ietf.org
In-reply-to: <4317648F.7030603@highlandsun.com>
Organization: Sun Microsystems Inc.
References: <42F209AD0200001C000383DC@lyle.provo.novell.com> <4317648F.7030603@highlandsun.com>
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

Howard Chu wrote:

After adopting the schema changes in draft 9 we ran into a new issue; the pwdAccountLockedTime operational attribute is now marked NO-USER-MODIFICATION. Should this attribute be automatically removed when a password change is successfully performed?

Yes, i believe that this is desireable (and that's what we've implemented). However, there should also be a way to unlock an account without requiring a change in the password. A user should not be "punished" and have his pasword changed everytime the server is subject to an attempt of a dictionary attack.

(I.e., give it the same treatment as pwdFailureTime and pwdGraceUseTime which are removed upon successful password change.) Otherwise it's not clear that a password administrator can re-enable an account using the currently defined protocol operations, and requiring a manipulation outside the protocol seems wrong.

I have the same concern with pwdPolicySubentry, which seems to me to require manual setting. (For all the other non-modifiable attributes, they have clearly defined automated behaviors, so there's no issue there.)

In our implementation the pwdPolicySubentry can be set via our implementation of collective attribute, or manually... But I would expect some servers to have the attribute fully handled by the server.

Ludovic.

--
Ludovic Poitou                                    Sun Microsystems Inc.
Software Architect                               Directory Server Group
http://blogs.sun.com/Ludo/                             Grenoble, France

Sun Microsystems requires the following notice:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTICE:  This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Password Policy draft 9
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: [ldapext] Password Policy draft 9
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: Re: [ldapext] Password Policy draft 9
Next by Date: Re: [ldapext] Password Policy draft 9
Index(es):
- Chronological
- Thread