On Mon, 2006-01-02 at 05:39 -0800, Howard Chu wrote: > Pierangelo Masarati wrote: > > ^^^ you assume every authentication can be turned in a value compare; > > for those cases, draft-behera is just fine, because it already accounts > > for compare on the pwdAttribute as an authentication method. However, > > there are other password-based methods that need the value, not just a > > yes/no. This is what I'm discussing, and that's why I need separate > > "lookup" and "done" methods; that's also why my needs are currently out > > of the scope of draft-behera, requiring me to (re-)implement its logics > > in the authentication application, using hacks to update the > > authentication state info in the DSA. > > As suggested, you could use a regular Bind operation to update the > authentication state in the auxprop "done" method. As long as the done > method is called in all cases, the lookup method doesn't need to trigger > any updates, and the only extension we need is to define the ppolicy > control behavior when accompanying a Search. I think this is a > relatively benign change and ought to be rolled into draft-behera; it is > at least as relevant as the current support for Compare operations. But how should this be handled if we don't store the plaintext. I realise this isn't where Cyrus-SASL is heading, but Samba traditionally only stores the NT and LM hashes. For the Samba4 work, storage of what windows calls the 'reversibly encrypted password' is optional, and I would hate for LDAP-based password policy to rely on it. Also, how could I attach (to the bind operation for updating/validation of the policy) the IP the user authenticated from (and other such details)? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext