[Date Prev][Date Next] [Chronological] [Thread] [Top]

[ldapext] Grace logins and password policy

To: <ldapext@ietf.org>
Subject: [ldapext] Grace logins and password policy
From: "Ramsay, Ron" <Ron.Ramsay@ca.com>
Date: Fri, 5 May 2006 11:52:32 +1000
Content-class: urn:content-classes:message
Thread-index: AcZv5pLp6gS5oIWUQCW9W5s+skR4CA==
Thread-topic: Grace logins and password policy

Hi LDAPexters,

At the moment the Behera draft
(draft-behera-ldap-password-policy-08.txt) states that, once a password
has expired, it will need to be reset. This reqires administrator
intervention. Some vendors, implementing their own password policy
mechanisms, allow a user to login with an expired password, forcing them
to change it before proceeding.

I believe there is business case for either method of expired password
handling and that the Behera draft should address these.

More specifically:

If a user's password has expired and the number of grace logins has been
exceeded then, at the vendor's discretion (or by configuration), a
server can respond to a BIND request with either:

1) Bind Refuse - setting the LDAP response control error
passwordExpired, requiring the user's password to be reset (current
case);

or

2) Bind Confirm - setting the LDAP response control error
changeAfterReset, requiring the user to change their password before
allowing other operations.

The second option would seem a lot more manageable with a large user
base.

What do you think?

Ron

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Grace logins and password policy
  - From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>

Next by Date: Re: [ldapext] Grace logins and password policy
Index(es):
- Chronological
- Thread