[Date Prev][Date Next]
Re: (ITS#5389) Contribution: JLDAP support for password policy response control
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#5389) Contribution: JLDAP support for password policy response control
- From: email@example.com
- Date: Tue, 28 Apr 2009 23:29:37 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Rastogi Arpit wrote:
> hi Raymond ,
> This is just for my understanding . Is Password Policy response is a
> standard ? What is the requirement of this particular feature to be
> present in JLDAP? What is this feature and how it can be used ?
> We can take it in if this is a standard but if this is not a standard
> than we cannot take this in as this will make the code bulkier.
The Password Policy control is based the IETF password policy proposal
for LDAP. The following URLs provide more detail on it:
Essentially the code I've provided allows users of JLDAP send password
policy request control messages and interpret the directory server
responses. It can be used in the following instances:
* At bind time where the directory server can indicate whether the
user's account is about to expire, has expired, or is locked.
* If the account is about to expire, how long before this occurs.
* If the account has expired, how many grace logins are left before
the account is locked out.
* At password reset time where the directory server can indicate whether
the new password meets password policy requirements including:
* Whether the password is strong enough.
* Whether the new password set is one that has already been used.
These and more are described in the URLs I have provided.
Although it is an expired draft, it is supported by OpenLDAP (in slapd
via the slapo-ppolicy overlay and is also supported by the ldapsearch
client). It is also supported by the following LDAP servers (there may
be more but these are the ones I do use):
IBM Tivoli directory server
The functionality provided by the code I've written is also available in
other programming languages (Perl via Net::LDAP and in other Java LDAP
Raymond B. Edah
e-mail: t2tre ^ skyblue.eu.com