[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
From: Howard Chu <hyc@highlandsun.com>
Date: Mon, 02 Jan 2006 05:39:35 -0800
Cc: ldapext@ietf.org, Andrew Bartlett <abartlet@samba.org>
In-reply-to: <1136208540.3334.55.camel@ando>
References: <1135688297.3650.7.camel@ando> <1136183018.15159.78.camel@localhost.localdomain> <1136189001.3334.14.camel@ando> <1136205989.15159.86.camel@localhost.localdomain> <1136208540.3334.55.camel@ando>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051221 SeaMonkey/1.5a

Pierangelo Masarati wrote:

^^^ you assume every authentication can be turned in a value compare;
for those cases, draft-behera is just fine, because it already accounts
for compare on the pwdAttribute as an authentication method.  However,
there are other password-based methods that need the value, not just a
yes/no.  This is what I'm discussing, and that's why I need separate
"lookup" and "done" methods; that's also why my needs are currently out
of the scope of draft-behera, requiring me to (re-)implement its logics
in the authentication application, using hacks to update the
authentication state info in the DSA.

As suggested, you could use a regular Bind operation to update the authentication state in the auxprop "done" method. As long as the done method is called in all cases, the lookup method doesn't need to trigger any updates, and the only extension we need is to define the ppolicy control behavior when accompanying a Search. I think this is a relatively benign change and ought to be rolled into draft-behera; it is at least as relevant as the current support for Compare operations.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Andrew Bartlett <abartlet@samba.org>

References:
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
Next by Date: Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
Index(es):
- Chronological
- Thread