[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
[ldapext] Grace logins and password policy
- To: <ldapext@ietf.org>
- Subject: [ldapext] Grace logins and password policy
- From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
- Date: Fri, 5 May 2006 11:52:32 +1000
- Content-class: urn:content-classes:message
- Thread-index: AcZv5pLp6gS5oIWUQCW9W5s+skR4CA==
- Thread-topic: Grace logins and password policy
Hi LDAPexters,
At the moment the Behera draft
(draft-behera-ldap-password-policy-08.txt) states that, once a password
has expired, it will need to be reset. This reqires administrator
intervention. Some vendors, implementing their own password policy
mechanisms, allow a user to login with an expired password, forcing them
to change it before proceeding.
I believe there is business case for either method of expired password
handling and that the Behera draft should address these.
More specifically:
If a user's password has expired and the number of grace logins has been
exceeded then, at the vendor's discretion (or by configuration), a
server can respond to a BIND request with either:
1) Bind Refuse - setting the LDAP response control error
passwordExpired, requiring the user's password to be reset (current
case);
or
2) Bind Confirm - setting the LDAP response control error
changeAfterReset, requiring the user to change their password before
allowing other operations.
The second option would seem a lot more manageable with a large user
base.
What do you think?
Ron
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext