[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Unfinished business: password policy and VLV

To: Howard Chu <hyc@highlandsun.com>
Subject: Re: [ldapext] Unfinished business: password policy and VLV
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 14 Aug 2009 18:57:14 +0200
Cc: ldapext@ietf.org
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <4A7969DD.4090903@highlandsun.com>
References: <OFA71CDB2F.9614DC09-ON852573EC.0069861C-852573EC.006BDD73@us.ibm.com> <4A4EC639.3070706@highlandsun.com> <E263270E-E8AC-4245-829A-BA98882655D8@Isode.com> <4A52986B.80001@highlandsun.com> <4A7969DD.4090903@highlandsun.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.22) Gecko/20090606 SeaMonkey/1.1.17

Howard Chu wrote:
> Howard Chu wrote:
>> And also an extended op "ExternalBind" for allowing external 
>> authentication providers to interact with the existing policy. I.e., this
>> op will supply an LDAP username and a success/fail code to the directory
>> server, and the server will execute the policy mechanisms accordingly.
>> (E.g., if a Fail code is supplied then the failure time and any relevant
>> lockouts are recorded.)
> 
> Thinking about this some more, I don't think a new exop is the right
> approach. Instead, I would use a new ppolicy control which can be
> attached to a Search request. It would only be valid for searches of
> Base scope. It would result in a ppolicy response control being attached
> to the search entry that fulfills the search request. This would allow
> an external authentication mechanism to discover if the account is
> already locked, password is expired, etc. The response control would
> also include an opaque cookie.

Thinking in this direction a bit further I wonder how requests with Proxy
Authz control attached should be handled in case of (temporarily) locked accounts.

> We would also define a new ppolicy control which can be attached to a
> Simple Bind request. This control would carry the cookie from the
> previous response control, and a boolean success/fail value. If the
> cookie is valid, the credentials of the Bind request will be ignored and
> the boolean success/fail code is used to update the ppolicy state for
> the specified user.

What's the use-case for that?

> At this point I'm preparing a new draft of the behera-ppolicy document
> with the several additions I've mentioned. I am also preparing a new
> revision of the RFC2307 schema, and a draft of a Kerberos 5 schema. Both
> of these latter documents will depend on the ppolicy draft. I plan to
> post these in the next couple of days.

This all sounds very reasonable.

Ciao, Michael.

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] Unfinished business: password policy and VLV
  - From: Howard Chu <hyc@highlandsun.com>

References:
- Re: [ldapext] Unfinished business: password policy and VLV
  - From: Howard Chu <hyc@highlandsun.com>

Prev by Date: Re: [ldapext] Unfinished business: password policy and VLV
Next by Date: Re: [ldapext] Unfinished business: password policy and VLV
Index(es):
- Chronological
- Thread