[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt

To: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Subject: Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
From: simo <idra@samba.org>
Date: Mon, 31 Mar 2008 17:07:21 -0400
Cc: x500standard@freelists.org, LDAP Extensions list <ldapext@ietf.org>
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <3D27B3E2-C6EA-42AD-BE13-4FD46221E2CA@Isode.com>
Organization: Samba Team
References: <20080331174501.8F71328C198@core3.amsl.com> <3D27B3E2-C6EA-42AD-BE13-4FD46221E2CA@Isode.com>

On Mon, 2008-03-31 at 10:56 -0700, Kurt Zeilenga wrote:
> > A URL for this Internet-Draft is:
> >
> http://www.ietf.org/internet-drafts/draft-zeilenga-ldap-passwords-00.txt

Some comments on the draft:

1)

In the document I see 'pwd' in a former incarnation has been replaced by
'passwd', why not the full 'password' ?

2)

> 3.1.3. 'passwdExpiry'
>
>   The 'passwdExpiry' attribute specifies the age, in seconds, in which a
>   password expires.

This is the number of seconds since the password is changed, right ?

This is in the policy itself, and means all password for users in the
same subtree expire 'passwdExpiry' seconds after their password change
date as recorded by: 'passwdChangeTime'

It is not allowed to have a different expiration time unless a specific
policy is created for the user(s).

With the proposed draft a change in the policy may suddenly expire a
great number of passwords unexpectedly (example: I am changing the
default policy from 90 days to 30 days expiration time).

Another way to handle this is to have passwordExipryTime on the user
entry that express the expiration as generalized time. 'passwdExpiry' in
this case is used at password change time to determine the value of
passwordExipryTime at the time of the change.

This means that followinf changes to the policies do not change the
recorded expiration date for password changes made in the past.

What is the reason for the proposed approach is preferred to this
alternative one ? (I am assuming both have been considered)

3)

4.2. Minimum Length

  The Minimum Length constraint restricts the length of allowed
  passwords, requiring all passwords to have at least the number of
  octets specified in the parameter.  [...]

Here minimum length is expressed in octects, but in UTF-8 multiple
octects can encode for a single character. And therefore a password can
be 'shorter' is simply octect are counted.

Shouldn't the minimum length indicate the minimum number of characters ?

4)

The number of constraints seem quite limited, are you open to suggestion
for more constraint types that are currently commonly used in various
server implementations ?

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo@samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce@redhat.com>

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>

References:
- [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>

Prev by Date: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
Next by Date: Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
Index(es):
- Chronological
- Thread