[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 04 Jan 2006 23:59:51 +1100
Cc: ldapext@ietf.org
In-reply-to: <43B92D17.1040800@highlandsun.com>
References: <1135688297.3650.7.camel@ando> <1136183018.15159.78.camel@localhost.localdomain> <1136189001.3334.14.camel@ando> <1136205989.15159.86.camel@localhost.localdomain> <1136208540.3334.55.camel@ando> <43B92D17.1040800@highlandsun.com>

On Mon, 2006-01-02 at 05:39 -0800, Howard Chu wrote:
> Pierangelo Masarati wrote:
> > ^^^ you assume every authentication can be turned in a value compare;
> > for those cases, draft-behera is just fine, because it already accounts
> > for compare on the pwdAttribute as an authentication method.  However,
> > there are other password-based methods that need the value, not just a
> > yes/no.  This is what I'm discussing, and that's why I need separate
> > "lookup" and "done" methods; that's also why my needs are currently out
> > of the scope of draft-behera, requiring me to (re-)implement its logics
> > in the authentication application, using hacks to update the
> > authentication state info in the DSA.
> 
> As suggested, you could use a regular Bind operation to update the 
> authentication state in the auxprop "done" method. As long as the done 
> method is called in all cases, the lookup method doesn't need to trigger 
> any updates, and the only extension we need is to define the ppolicy 
> control behavior when accompanying a Search. I think this is a 
> relatively benign change and ought to be rolled into draft-behera; it is 
> at least as relevant as the current support for Compare operations.

But how should this be handled if we don't store the plaintext.  I
realise this isn't where Cyrus-SASL is heading, but Samba traditionally
only stores the NT and LM hashes.  For the Samba4 work, storage of what
windows calls the 'reversibly encrypted password' is optional, and I
would hate for LDAP-based password policy to rely on it.

Also, how could I attach (to the bind operation for updating/validation
of the policy) the IP the user authenticated from (and other such
details)? 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Howard Chu <hyc@highlandsun.com>

References:
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
Next by Date: Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
Index(es):
- Chronological
- Thread