[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
From: simo <idra@samba.org>
Date: Mon, 31 Mar 2008 22:36:42 -0400
Cc: x500standard@freelists.org, LDAP Extensions list <ldapext@ietf.org>, Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <47F1809F.3080407@highlandsun.com>
Organization: Samba Team
References: <20080331174501.8F71328C198@core3.amsl.com> <3D27B3E2-C6EA-42AD-BE13-4FD46221E2CA@Isode.com> <1206997641.24112.10.camel@localhost.localdomain> <5C148842-FAD8-4535-BD19-383065C87781@Isode.com> <1207008231.24112.45.camel@localhost.localdomain> <47F1809F.3080407@highlandsun.com>

On Mon, 2008-03-31 at 17:23 -0700, Howard Chu wrote:
> simo wrote:
> >>> 4)
> >>>
> >>> The number of constraints seem quite limited, are you open to
> >>> suggestion
> >>> for more constraint types that are currently commonly used in various
> >>> server implementations ?
> >> Yes.
> >
> > Thanks,
> > there are some encoding (utf-8) dependent constraints that are widely
> > used like:
> >
> > - minimum length in characters
> > - maximum number of repetitions of the same character in a password
> > - minimum number of alphabetic characters
> > - minimum number of lower case characters
> > - minimum number of upper case characters
> > - minimum number of digits
> > - minimum number of special characters (usually ASCII characters that
> > represent symbols, but may be extended to other symbols in the UTF-8
> > space)
> > - minimum number of ASCII characters (as opposed to other utf-8
> > characters)
> > - complexity checks, like the checks performed by the cracklib library
> > to make sure the user name (or other user data) is not used as part of
> > the password itself, or the password is not too similar to a dictionary
> > word (locale dependent sometimes).
> 
> I recall when draft-behera was being discussed that folks wanted more 
> constraints, but nobody suggested what those might be. This is a pretty good 
> list. As for complexity checks, that may still be more difficult to 
> standardize. In OpenLDAP we punt that to a user-written checking module.
> 
> I don't really see a good way to fully spec this here, unless you want to 
> define an attribute to carry ABNF rules that a password must conform to. Or, 
> we could define a list of "dictionaries" that must be checked, where a 
> "dictionary" is a specified version number of a well-known word list, library 
> (like cracklib) or other external mechanism.

I would consider this option features, implementation dependent.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo@samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce@redhat.com>

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

References:
- Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
  - From: simo <idra@samba.org>
- Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
Next by Date: Re: [ldapext] Fwd: I-D Action:draft-zeilenga-ldap-passwords-00.txt
Index(es):
- Chronological
- Thread