[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] password policy: exclude (or exempt) user from policy

To: Michael Ströder <michael@stroeder.com>
Subject: Re: [ldapext] password policy: exclude (or exempt) user from policy
From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Date: Thu, 8 Jul 2010 06:43:31 -0700
Cc: ldapext <ldapext@ietf.org>
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <4C35820A.60909@stroeder.com>
References: <74306214-8DF5-4252-A9ED-18E83FCE9432@Isode.com> <4C32411E.4060502@highlandsun.com> <BE50A349-98CC-4103-AE48-90452BFAA315@Isode.com> <4C35820A.60909@stroeder.com>

On Jul 8, 2010, at 12:45 AM, Michael Ströder wrote:

> Kurt Zeilenga wrote:
>> 
>> On Jul 5, 2010, at 1:31 PM, Howard Chu wrote:
>> 
>>> Kurt Zeilenga wrote:
>>>> It is desirable to have a mechanism to exclude (or exempt) a user from the
>>>> policy.  For instance, it's nasty for various accounts associated with
>>>> application entities (as opposed to humans) to be locked out.
>>>> 
>>>> In the Isode implementation, we have an operational single-valued
>>>> attribute, pwdExclude, which if present in the user's entry and has the
>>>> boolean value TRUE exempts the user from all password policy enforcement.
>>>> 
>>>> It would be good to add something like this to the spec.
>>> 
>>> That sounds backward to me.
>> 
>> It's modeled after collective attribute exclusions.
>> 
>>> You should just define a specific policy for those accounts, and turn off
>>> everything you don't want enforced in that policy.
>> 
>> That can be pain depending on how one organizes their account objects.
> 
> Why do you think that the pointer to a separate policy cannot be a collective
> attribute? Maybe I got you wrong though.

The pointer to policy comes from the policy's subtree specification.  X.500 subtree specification has its limit.  See Ludo's comments that  this was addressed in OpenDS via subtree specification extensions.

I also think the tracking argument is kind of bogus.  From our experience, administrators find it natural to go to the user's entry to see determine its configuration...  and to determine all such excluded entries, it's a simple search operation.

And we already have pwdAccountLockedTime which admins can use to lock an user from the user's entry.  It seems all the arguments against pwdExclude would apply to pwdAccountLockedTime and it's funky 000001010000Z value.

Now, if others don't find pwdExclude generally useful, fine.  We'll keep it as a vendor-specific extension.

-- Kurt
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

References:
- [ldapext] password policy: exclude (or exempt) user from policy
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
- Re: [ldapext] password policy: exclude (or exempt) user from policy
  - From: Howard Chu <hyc@highlandsun.com>
- Re: [ldapext] password policy: exclude (or exempt) user from policy
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
- Re: [ldapext] password policy: exclude (or exempt) user from policy
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: [ldapext] password policy: exclude (or exempt) user from policy
Next by Date: Re: [ldapext] password policy: multiple subentries, multiple password attributes, ....
Index(es):
- Chronological
- Thread