[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: password policy enforcement

Seems like a reasonably inobtrusive enhancement. Define a couple new
attributeTypes (for example):
    loginDisabled (boolean) - is the account locked?
    loginFailures (integer) - how many failures have there been?
    loginMaxFailures (integer) - how many allowed before autolock occurs?

Ideally "loginFailures" would be an operational attribute, but I don't think
it's a big problem.

Assuming you massage your users' objectclasses appropriately to allow for
your new attributes, the enforcement logic can all be encapsulated in bind.c
in the respective backends. (It would of course be nice if you could  put it
in the slapd front end, so that any/all backends can use it. I don't see an
easy way to do this, though.) The code in bind already has to retrieve an
entry for the DN in question, so you can readily pull the current state of
any locking attributes. Storing the modified attributes when login failures
occur shouldn't be too hard either.

I really wish the backend architecture wasn't modeled on the notion of
individual backends being individual DSAs, sending results to the client
independently of each other. If it had been structured such that all results
were returned to the slapd mainline, then it would be simple for a single
generic frontend "bind" routine to fetch bindDN entries from any particular
backend, do all the boilerplate password validation, etc., without it
needing to be redundantly managed in each individual backend. If ACL
checking were consolidated in the front end, then the generic frontend bind
would also have no trouble storing the updated entries back into their
respective backends as bookkeeping items were recorded. Need more time...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc

> -----Original Message-----
> From: owner-openldap-devel@OpenLDAP.org
> [mailto:owner-openldap-devel@OpenLDAP.org]On Behalf Of Dustin Sallings
> Sent: Tuesday, February 29, 2000 2:15 AM
> To: openldap-devel@OpenLDAP.org
> Subject: password policy enforcement
> 	Hi, I brought this thread up in openldap-general and it was
> suggested that I bring it over here.
> 	This is my most basic set of needs:
> 	Ability to lock and unlock authentication for an entry.
> 	Ability to have an entry autolock on failure (x bad passwords).
> This is pretty important to me, and I don't mind doing the work, but I'd
> like existing developers to give me an idea of what the scope is, and what
> the right way to wedge it into the existing code base might be.  Thanks a
> lot.
> --
> dustin sallings                            The world is watching America,
> http://2852210114/~dustin/                 and America is watching TV.