[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications

To: Andrew Bartlett <abartlet@samba.org>
Subject: Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
From: Howard Chu <hyc@highlandsun.com>
Date: Wed, 04 Jan 2006 19:50:53 -0800
Cc: ldapext@ietf.org
In-reply-to: <1136379591.15159.179.camel@localhost.localdomain>
References: <1135688297.3650.7.camel@ando> <1136183018.15159.78.camel@localhost.localdomain> <1136189001.3334.14.camel@ando> <1136205989.15159.86.camel@localhost.localdomain> <1136208540.3334.55.camel@ando> <43B92D17.1040800@highlandsun.com> <1136379591.15159.179.camel@localhost.localdomain>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051221 SeaMonkey/1.5a Mnenhy/0.7.3.0

Andrew Bartlett wrote:

On Mon, 2006-01-02 at 05:39 -0800, Howard Chu wrote:
As suggested, you could use a regular Bind operation to update the authentication state in the auxprop "done" method. As long as the done method is called in all cases, the lookup method doesn't need to trigger any updates, and the only extension we need is to define the ppolicy control behavior when accompanying a Search. I think this is a relatively benign change and ought to be rolled into draft-behera; it is at least as relevant as the current support for Compare operations.
But how should this be handled if we don't store the plaintext.  I
realise this isn't where Cyrus-SASL is heading, but Samba traditionally
only stores the NT and LM hashes.  For the Samba4 work, storage of what
windows calls the 'reversibly encrypted password' is optional, and I
would hate for LDAP-based password policy to rely on it.

The enforcement of password policy works regardless of the method/hash used to store passwords in the directory. However, for Cyrus SASL secret-based mechs, obviously we need plaintext, and password modifications must be sent to the server in plaintext.

Also, how could I attach (to the bind operation for updating/validation of the policy) the IP the user authenticated from (and other such details)?

These are clearly application-specific issues, and it's just this sort of thing I'm sure Kurt was trying to avoid dragging into the picture. It is right and proper that draft-behera only address features and behaviors relevant to an LDAP client authenticating to an LDAP server. When the LDAP client is itself an application authenticating on behalf of some other client, you've really got a proxy situation, and that deserves its own separate consideration.

Where the two situations overlap, it makes sense to me to unify them. I think there is sufficient overlap in the Cyrus SASL case. Where the two situations differ, it makes sense to isolate the differences. The password policy specification only talks about password management. A user's IP address may figure into authentication policy or more generally into access control, but that's outside the scope of a password discussion.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Andrew Bartlett <abartlet@samba.org>

References:
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Andrew Bartlett <abartlet@samba.org>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Howard Chu <hyc@highlandsun.com>
- Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
Next by Date: Re: [ldapext] Interaction of <draft-behera-ldap-password-policy> with authentication applications
Index(es):
- Chronological
- Thread