[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Unfinished business: password policy and VLV

To: ldapext@ietf.org
Subject: Re: [ldapext] Unfinished business: password policy and VLV
From: Howard Chu <hyc@highlandsun.com>
Date: Mon, 10 Aug 2009 20:19:34 -0700
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <4A7E82FE.2090700@highlandsun.com>
References: <OFA71CDB2F.9614DC09-ON852573EC.0069861C-852573EC.006BDD73@us.ibm.com> <4A4EC639.3070706@highlandsun.com> <E263270E-E8AC-4245-829A-BA98882655D8@Isode.com> <4A52986B.80001@highlandsun.com> <4A7969DD.4090903@highlandsun.com> <7056861A-C18F-44B5-A4A9-251D6C13BE36@Isode.com> <4A7E82FE.2090700@highlandsun.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b5pre) Gecko/20090809 SeaMonkey/2.0a1pre Firefox/3.0.3

Howard Chu wrote:

9) In 7.4 (oops. forgot to take pwdGraceExpiry into account on this edit.)


Fixed, will be in next draft.

12) In 8., note that if a single password value is stored in multiple formats
simultaneously, it still counts as just a single password value. It's common
when centralizing multiple systems (SASL, Samba, Kerberos, NSS) into LDAP to
need to have the password in multiple forms. They are all equivalent and are
always changed simultaneously, so they are effectively only one password.


Equivalent text probably belongs in 4.3.

16) 9.5 Other Operations - also allow accountLocked result. This allows
Search+ppolicy control to be used by SASL etc., instead of the ExternalBind
stuff I mentioned in previous emails.


This appears to be a mistake, I'm reverting this to the 09 version.

There are still several TODO sections from 09 which I didn't touch.


TODOs:

do we need to have configurable backoff algorithms for login delays? seemslike overkill.

password safe modification, intruder detection - one possibility is toforce the session to immediately terminate on failure. That then accomplishesthe aim of requiring users to authenticate first.

pwdCheckQuality, checking during authentication. Sounds like a good idea;should it be done always, only when the stored password is hashed, or as aconfigurable choice? The result should be that pwdReset is effectively setwhen the verification succeeds.

advertisement and discovery - the control should be advertised insupportedControls in the rootDSE, what else needs to be said?


  administrativeRole - will use another OID under the current arc.

  ppolicy and replication - I think there are enough caveats in here now.

  IANA considerations - I've filled these in according to RFC4520.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Unfinished business: password policy and VLV
  - From: Jim Willeke <jim@willeke.com>

References:
- Re: [ldapext] Unfinished business: password policy and VLV
  - From: Howard Chu <hyc@highlandsun.com>
- Re: [ldapext] Unfinished business: password policy and VLV
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
- Re: [ldapext] Unfinished business: password policy and VLV
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: [ldapext] Fwd: Manual Post Requested for draft-howard-rfc2307bis
Next by Date: Re: [ldapext] Unfinished business: password policy and VLV
Index(es):
- Chronological
- Thread