[Date Prev][Date Next] [Chronological] [Thread] [Top]

[ldapext] password policy: account vs. password idling

To: ldapext <ldapext@ietf.org>
Subject: [ldapext] password policy: account vs. password idling
From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Date: Tue, 10 Aug 2010 08:12:52 -0700
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <7E2E8441-55DB-4DF2-9146-864199CBD3ED@Isode.com>
References: <7E2E8441-55DB-4DF2-9146-864199CBD3ED@Isode.com>

pwdMaxIdle and pwdLastSuccess are described in terms of "account idling" not "password idling".  That is, "This attribute specifies the number of seconds an account may remain unused before it becomes locked" and "This attribute holds the timestamp of the last successful
   authentication."

As defined now, if a user has both a password and a certificate but only uses the certificate for authentication (TLS+EXTERNAL), the password remains vulnerable to attack.

Given this is the "password policy" not a more general "account policy", this specification should focus on disabling passwords when not actively used... leaving disabling of inactive accounts to a future "account policy" specification.

-- Kurt


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] password policy: account vs. password idling
  - From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>

Prev by Date: [ldapext] password policy: pwdChangedTIme, pwdLastSuccess
Next by Date: Re: [ldapext] password policy: account vs. password idling
Index(es):
- Chronological
- Thread