[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] password policy vs. shadowing/caching

To: ldapext <ldapext@ietf.org>
Subject: Re: [ldapext] password policy vs. shadowing/caching
From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Date: Fri, 2 Jul 2010 15:10:14 -0700
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <AD629190-2779-403D-B792-FD59DFF8C9D7@Isode.com>
References: <AD629190-2779-403D-B792-FD59DFF8C9D7@Isode.com>

On Jul 2, 2010, at 2:48 PM, Kurt Zeilenga wrote:

> Not only does the spec continue to suffer from various issues in face of shadowing/caching, additional issues in this area have been introduced by features such as account idling.
> 
> Account idling relies on shared knowledge across a set of DSAs of last successful login, and nothing in LDAP/X.500 ensures such shared knowledge can be maintained.
> 
> I favor a base specification(s) which details policy mechanisms specifically designed to operate in a traditional LDAP/X.500 model (each entry held by one master, possibly multiple shadow and caching DSAs) without any reliance on distributed operations and possibly additional specifications (possibly as appendices to the base) discussing how the base specification could be enhanced through the use of distributed operations and other yet-to-be-specified extensions (to the protocol or models).

I note that one of the distributed policy issues that would need to be addressed (possibly simply by discussion in security considerations) is DoS vulnerability introduced by replication of user-specific state information.  That is, there is a magnification attack here.

-- Kurt
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] password policy vs. shadowing/caching
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>

Prev by Date: [ldapext] password policy vs. shadowing/caching
Next by Date: [ldapext] password policy: account idling
Index(es):
- Chronological
- Thread