[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] [x500standard] Password policy PDAM

To: x500standard@freelists.org, Ldapext <ldapext@ietf.org>
Subject: Re: [ldapext] [x500standard] Password policy PDAM
From: Howard Chu <hyc@highlandsun.com>
Date: Tue, 13 Oct 2009 18:13:17 -0700
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <4ACE4CBD.1050408@highlandsun.com>
References: <003201ca4829$14e1ecd0$3ea5c670$@eu> <4ACE4CBD.1050408@highlandsun.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9.1.5pre) Gecko/20091012 SeaMonkey/2.0a1pre Firefox/3.0.3

Howard Chu wrote:

I'll followup later with another review in terms of the current LDAP ppolicy
draft.

As David Chadwick suggested, it would be a good idea to align the names andOIDs of the policy elements that are semantically the same. Here's acomparison of where things stand right now.


X.500			LDAP
pwdAdminSubentryList/
pwdPolicySubentry	pwdPolicySubentry

   The LDAP definition is single-valued; only one policy is allowed to apply
   to the password attribute of an entry. (But if multiple password
   attributes are in use, then each can have its own policy.) In LDAP if
   multiple policies have overlapping coverage the behavior is undefined.

pwdAdminSubentry	pwdPolicy

myPwdAttribute		pwdAttribute

passwordHistory		pwdHistory

   Currently it looks like these two are not compatible.

recentlyExpiredPassword

   No analogue in LDAP spec. Could be added I guess.

passwordHistoryMatch

   No analogue in LDAP, history just uses octetStringMatch.

pwdStartTime		pwdStartTime

   Basically the same, but X.500 pwdStartTime is also set whenever a
   password is changed. LDAP uses pwdChangedTime for this purpose. The
   reason for the distinction: an admin may decide to set a password
   on an account, but leave it disabled until some time in the future.

   The most common example use-case is in schools/universities - hundreds
   or thousands of accounts may be created in advance for an incoming
   class of students. Their pwdStartTime will be set to the first day of
   class, while their pwdChangedTime will reflect the time their password
   was actually created.

pwdExpiryTime

   No analogue in LDAP. Could be added.

pwdEndTime		pwdEndTime
	
   Basically the same. We should adopt the X.500 description for the
   LDAP spec.

pwdFails

   LDAP uses pwdFailureTime which records the timestamps of the failures,
   not just a count of the failures.

gracesUsed

   LDAP uses pwdGraceUseTime which records the timestamps of each
   usage, not just a count.

The LDAP spec has 3 more operational attributes that appear to be missing fromthe X.500 spec:

	pwdAccountLockedTime - the time that an account was locked.

pwdReset - a boolean that indicates a user must change their password (e.g.because it was set by an administrator).

	pwdLastSuccess - the timestamp of the last successful authentication


Policy schema:

X.500			LDAP

modifyEntryPwdAllowed

    No analogue in LDAP

changePwdAllowed	pwdAllowUserChange

    Basically the same

pwdMaxAge

Missing in LDAP. Adding it will be tricky since we already use apwdMaxAge attribute, for expiration.


pwdExpiryAge		pwdMaxAge

    Basically the same meaning; LDAP is missing the ordering rule.

minPwdLength		pwdMinLength

    Basically the same. LDAP also has pwdMaxLength, as some systems only work
    with some small length (e.g. 8 or 16 on some legacy platforms).

pwdVocabulary
pwdAlphabet
pwdDictionaries

    Missing in LDAP. Should consider adding them.

pwdExpiryWarning	pwdExpireWarning
pwdGraces		pwdGraceAuthNLimit
pwdLockoutDuration	pwdLockoutDuration
pwdMaxFailures		pwdMaxFailure

    Basically the same, besides choice of spelling. LDAP is missing the
    ordering rule.

pwdFailureDuration	pwdMinDelay

    LDAP also requires pwdMaxDelay if pwdMinDelay is set.

pwdMaxTimeInHistory
pwdMinTimeInHistory

    No analogue in LDAP, should consider adding it.

pwdHistorySlots		pwdInHistory

    Similar; LDAP doesn't specify a minimum value. Absence / 0 implies no
    history tracking.

recentlyExpiredPwdDuration

    No analogue in LDAP.

pwdEncryptionAlg

    No analogue in LDAP. Password hashing is implementation-specific.

The LDAP spec also defines pwdMinAge, pwdCheckQuality, pwdGraceExpiry,
pwdLockout, pwdFailureCountInterval, pwdMustChange, pwdSafeModify, pwdMaxIdle.

Kurt Zeilenga's draft makes an argument against using pwdMinAge, we shouldconsider dropping it from the LDAP spec and augmenting the history policyattributes instead. pwdCheckQuality would be superseded by pwdVocabulary,

pwdAlphabet and pwdDictionaries.

pwdGraceExpiry should probably be added to the X.500 spec; i.e. there shouldbe some provision for aging out grace logins.


pwdLockout simply controls whether failure-based lockouts will be enforced or not.

pwdFailureCountInterval defines the number of seconds after which password
failures are automatically purged, even though no successful authentication
occurred. It's a bit of a bandaid to allow recovering from a failure lockout.

pwdMustChange controls whether administrative password changes will requirethe user to change their password immediately on next login.

pwdSafeModify controls whether the old password is required or not in aPasswordModify operation.

pwdMaxIdle disables an account if it has not been logged into within thespecified interval. It may be a good idea to add this to the X.500 spec.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

Next by Date: [ldapext] Status of X.500 based Access Control for LDAP
Index(es):
- Chronological
- Thread