On Wed, 2006-01-04 at 19:50 -0800, Howard Chu wrote: > Where the two situations overlap, it makes sense to me to unify them. I > think there is sufficient overlap in the Cyrus SASL case. Where the two > situations differ, it makes sense to isolate the differences. The > password policy specification only talks about password management. A > user's IP address may figure into authentication policy or more > generally into access control, but that's outside the scope of a > password discussion. I've been looking at the spec again, from the password management angle. I understand the intent to limit the scope here. What I'm worried about is again an application proxy issue, but more limited: Strictly within the password management space, I want to communicate to the back end the difference between: - user changes their password - administrator changes a user's password (but must follow some restrictions) - big hammer (I am going to set 'cat' and you shouldn't stop me...) I need that in Samba4 (and indeed the first 2 in Samba3), if we are to have the directory enforce the password policies. However, in all cases the bind occurs as an administrative user, as we never get the user's cleartext in these protocols. I presume the big hammer matches up with ManageDIT? Could we add a control to advise the backend of the other details? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Ldapext mailing list Ldapext@ietf.org https://www1.ietf.org/mailman/listinfo/ldapext