[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] password policy: account vs. password idling
Then why would they be named pwdLastSuccess and pwdMaxIdle?
Seems like poor choice for naming.
On Tuesday, August 10, 2010, Ludovic Poitou <Ludovic.Poitou@sun.com> wrote:
> I agree.
> Note taken for the next update.
>
> Ludo
>
> On Aug 10, 2010, at 5:12 PM, Kurt Zeilenga wrote:
>
>> pwdMaxIdle and pwdLastSuccess are described in terms of "account idling" not "password idling". That is, "This attribute specifies the number of seconds an account may remain unused before it becomes locked" and "This attribute holds the timestamp of the last successful
>> authentication."
>>
>> As defined now, if a user has both a password and a certificate but only uses the certificate for authentication (TLS+EXTERNAL), the password remains vulnerable to attack.
>>
>> Given this is the "password policy" not a more general "account policy", this specification should focus on disabling passwords when not actively used... leaving disabling of inactive accounts to a future "account policy" specification.
>>
>> -- Kurt
>>
>>
>> _______________________________________________
>> Ldapext mailing list
>> Ldapext@ietf.org
>> https://www.ietf.org/mailman/listinfo/ldapext
>
> ---
> Ludovic Poitou Oracle
> OpenDS community Manager, Directory Services Architect
> http://blogs.sun.com/Ludo/ Grenoble Engineering Center - France
>
> OpenDS, the Java LDAP Directory Server
> http://www.opends.org
>
>
>
>
> _______________________________________________
> Ldapext mailing list
> Ldapext@ietf.org
> https://www.ietf.org/mailman/listinfo/ldapext
>
--
-jim
Jim Willeke
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext