[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] password policy: account vs. password idling
I agree.
Note taken for the next update.
Ludo
On Aug 10, 2010, at 5:12 PM, Kurt Zeilenga wrote:
> pwdMaxIdle and pwdLastSuccess are described in terms of "account idling" not "password idling". That is, "This attribute specifies the number of seconds an account may remain unused before it becomes locked" and "This attribute holds the timestamp of the last successful
> authentication."
>
> As defined now, if a user has both a password and a certificate but only uses the certificate for authentication (TLS+EXTERNAL), the password remains vulnerable to attack.
>
> Given this is the "password policy" not a more general "account policy", this specification should focus on disabling passwords when not actively used... leaving disabling of inactive accounts to a future "account policy" specification.
>
> -- Kurt
>
>
> _______________________________________________
> Ldapext mailing list
> Ldapext@ietf.org
> https://www.ietf.org/mailman/listinfo/ldapext
---
Ludovic Poitou Oracle
OpenDS community Manager, Directory Services Architect
http://blogs.sun.com/Ludo/ Grenoble Engineering Center - France
OpenDS, the Java LDAP Directory Server
http://www.opends.org
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext