[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] password policy: exclude (or exempt) user from policy

To: Ludovic Poitou <Ludovic.Poitou@Sun.COM>
Subject: Re: [ldapext] password policy: exclude (or exempt) user from policy
From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Date: Mon, 5 Jul 2010 13:55:51 -0700
Cc: ldapext <ldapext@ietf.org>
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <F56BBA92-EF26-4971-BC32-8A4AB6352BB2@sun.com>
References: <74306214-8DF5-4252-A9ED-18E83FCE9432@Isode.com> <F56BBA92-EF26-4971-BC32-8A4AB6352BB2@sun.com>

On Jul 5, 2010, at 1:27 PM, Ludovic Poitou wrote:

> Kurt, 
> 
> I don't really like using exception mechanism like this which are difficult to track for an administrator and may be abused by users if not protected appropriately.

The specification already has numerous operational attributes which an administrator might need to track, I don't see one more being all that problematic...  nor a significant security risk.   Like most DSA vendors, and presumedly you, we just ship with reasonable default access controls for pwdExclude as well as other security oriented attributes.  I assume most DSA vendors ship with defaults that prevent average users from establishing a password policy for their object.

One thing we don't (yet) do is check for inappropriate access rights before using an attribute.  That is, ignore pwdExclude if its writable by the user.  We could do this, but I tend to avoid making the access control system any more complicated than it needs to be.

> In OpenDS we have some extended subtree specifications that allow to filter in or out users from the password policy definition itself. 
> I'm gonna be out for the next 3 weeks but will comment your emails related to the password policy when I'm back. I didn't get the time to do it before today. 

No worries.  It's not like these are burning issues.

-- Kurt
> 
> Regards
> 
> Ludovic Poitou
> Sent from a mobile. 
> 
> On 5 juil. 2010, at 22:14, Kurt Zeilenga <Kurt.Zeilenga@Isode.com> wrote:
> 
>> It is desirable to have a mechanism to exclude (or exempt) a user from the policy.  For instance, it's nasty for various accounts associated with application entities (as opposed to humans) to be locked out.
>> 
>> In the Isode implementation, we have an operational single-valued attribute, pwdExclude, which if present in the user's entry and has the boolean value TRUE exempts the user from all password policy enforcement.
>> 
>> It would be good to add something like this to the spec.
>> 
>> -- Kurt
>> _______________________________________________
>> Ldapext mailing list
>> Ldapext@ietf.org
>> https://www.ietf.org/mailman/listinfo/ldapext
> _______________________________________________
> Ldapext mailing list
> Ldapext@ietf.org
> https://www.ietf.org/mailman/listinfo/ldapext

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] password policy: exclude (or exempt) user from policy
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
- Re: [ldapext] password policy: exclude (or exempt) user from policy
  - From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>

Prev by Date: [ldapext] Password Policy: hash algorithm specification and auto hash migration
Next by Date: [ldapext] password policy: multiple subentries, multiple password attributes, ....
Index(es):
- Chronological
- Thread