Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications

[Pierangelo Masarati <ando@sys-net.it>]

On Mon, 2006-01-02 at 23:46 +1100, Andrew Bartlett wrote:

> I'm unclear why we are doing modifies here.  While a complete hack, the
> Novell eDirectory with Samba3 approach is I believe instructive.  I just
> want a standards-based way to do it.
> 
> For logins: 
>  The password should be fetched, and a password compare done.  

^^^ you assume every authentication can be turned in a value compare;
for those cases, draft-behera is just fine, because it already accounts
for compare on the pwdAttribute as an authentication method.  However,
there are other password-based methods that need the value, not just a
yes/no.  This is what I'm discussing, and that's why I need separate
"lookup" and "done" methods; that's also why my needs are currently out
of the scope of draft-behera, requiring me to (re-)implement its logics
in the authentication application, using hacks to update the
authentication state info in the DSA.

> 
>  A message should be sent to the server indicating: 
>   - success/failure
>   - source IP
>   - other details (such as the NTLM 'workstation name')
> 
>  The server should handle all the modifies, I think.
> 
> For password changes:
>  The existing password change exop, but with clear info on failures.

All you need to use is the password policy control as described in the
draft; OpenLDAP already implements the server-side of ppolicy in an
overlay, and the client side in the library: get libldap 2.3 and that's
all.

> This should set all hash types etc.

Yes.

> 
> I don't actually see where the manageDIT modify would come into it.  The
> other point to consider is that any change should easily hook into the
> code for the server-only policy

See above.


> If the hooks do look like what I suggest above, then we might even get
> Samba3 along for this, because the internal APIs already exist for the
> eDirectory case.

Well, if you're fine with LDAP compare, yes: you can definitely have it
working in Samba 3, as far as I can tell.

p.






Ing. Pierangelo Masarati

Responsabile Open Solution

OpenLDAP Core Team



SysNet s.n.c.

Via Dossi, 8 - 27100 Pavia - ITALIA

http://www.sys-net.it

------------------------------------------

Office:   +39.02.23998309          

Mobile:   +39.333.4963172

Email:    pierangelo.masarati@sys-net.it

------------------------------------------



_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext