[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] password policy: multiple subentries, multiple password attributes, ....

To: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Subject: Re: [ldapext] password policy: multiple subentries, multiple password attributes, ....
From: Howard Chu <hyc@highlandsun.com>
Date: Mon, 05 Jul 2010 15:03:34 -0700
Cc: ldapext <ldapext@ietf.org>
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <77215DBF-C6F8-48FF-B5E9-7F57D0720145@Isode.com>
References: <77215DBF-C6F8-48FF-B5E9-7F57D0720145@Isode.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.3a5pre) Gecko/20100607 Firefox 3.6

Kurt Zeilenga wrote:

The spec specifically allows for an user entry to be controlled by
multiple

policies (each for a different password attribute) but then defines
pwdPolicySubentry to be single-valued.

It seems to me that the text as a whole doesn't really well consider the

implications of multiple applicable password policies.

I'm pretty sure the intention has always been for only a single policy toapply to any given entry. Note that it already explicitly requires only asingle password value to be present in any entry.

When you see that the spec allows for a different password attribute to beused, I take this to mean that within an entire directory, multiple passwordattributes may be used. But for any given entry, it must have only onepassword value, regardless of which attribute carries it.

In our current implementation, we do implement 5.3.1, and mandate that
only

a single password policy be applicable to a given user.


We currently looking at userPassword v. authPassword implications with

regard to auto-migration, as we're now supporting the latter for SCRAM
authentication. I think we'll assume that if both are present in an entry,
they represent the same same user password. We'll like need to support both
RFC 2307 hashing and in conjunction with SCRAM authPassword hashing so that
users can use either TLS+SimpleBind(WithPassword) or SCRAM.


I don't see the value of having two disjoint password policies, one for
each

attribute. What I believe our customers will demand is an unified password
policy covering both of these attributes. (I can see a possible desire to
support a disjoint password policy covering passwords for directory
application specific passwords, such as when one has a different directory
password from say an email password stored in the directory. However, our
customers which have different passwords for different directory applications
tend to rely on multiple entries per user, one per directory application (with
service-level authorization restrictions), not multiple passwords attributes
in a single entry.)

-- Kurt


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] password policy: multiple subentries, multiple password attributes, ....
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
- Re: [ldapext] password policy: multiple subentries, multiple password attributes, ....
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>

References:
- [ldapext] password policy: multiple subentries, multiple password attributes, ....
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>

Prev by Date: Re: [ldapext] password policy: multiple subentries, multiple password attributes, ....
Next by Date: Re: [ldapext] password policy: multiple subentries, multiple password attributes, ....
Index(es):
- Chronological
- Thread