Re: [ldapext] Unfinished business: password policy and VLV

[Kurt Zeilenga <Kurt.Zeilenga@Isode.com>]

On Aug 5, 2009, at 4:15 AM, Howard Chu wrote:

> Howard Chu wrote:
> > And also an extended op "ExternalBind" for allowing external  
> > authentication
> > providers to interact with the existing policy. I.e., this op will  
> > supply an
> > LDAP username and a success/fail code to the directory server, and  
> > the server
> > will execute the policy mechanisms accordingly. (E.g., if a Fail  
> > code is
> > supplied then the failure time and any relevant lockouts are  
> > recorded.)
>
> Thinking about this some more, I don't think a new exop is the right  
> approach. Instead, I would use a new ppolicy control which can be  
> attached to a Search request.

I suggest that such new protocol mechanisms, whether they be exop  
based or control based, be specified separately from the Password  
Policy document.  While they may be related, it would seem reasonable  
that an implementation might one to implement one but not the other.   
Modularization is a good thing.  Here I think it will aide in getting  
security right.

Looking forward to discussing the devils in your details (I-Ds)...

-- Kurt
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext