[Date Prev][Date Next]
Re: password policy - alternate lockout mechanism
Aravind Gottipati wrote:
This thread has been dead for some time now. Here is the link to the
original thread and all the follow-up discussion
An ITS request (5911) was in place for the feature (looks like its
been closed since), Howard had suggested that these requests generally
get worked on as and when folks have time to implement them.
I closed that ITS because we viewed it as a security liability, not as a
feature worthy of implementing. I think that conclusion was already clear from
the earlier mailing list discussion.
In this case, we've done a fair bit of tweaks in the ppolicy code recently.
Your suggestions were not missed due to lack of time, they were rejected due
to lack of technical merit.
We (at Mozilla) needed this feature to better support users in-house,
so we contracted the development out to Zytrax. I am happy to inform
you that this code is now ready and works for us on both 2.4.13 and
2.4.16. Here is the link
(http://www.zytrax.com/books/ldap/ch6/ppolicy.html) to the
documentation from Zytrax about how this feature works and also
contains links to download the code. I am not sure how we'd go about
getting this code integrated into mainline OpenLDAP, but we would love
for this code to be a part of the regular OpenLDAP releases. This
code plays nice with existing setups in that its features are turned
off by default and it behaves exactly as the original ppolicy module
Generally, we implement features according to the published specs. If you
believe this feature is valuable, you should push to have it included in the
next version of the ppolicy draft. I've been pushing for a few additions
recently as well.
Please let me know if you have any questions about how this works or
if there are other concerns about including this in regular OpenLDAP
Follow the Contributing guidelines if you want the code considered for
inclusion. Of course since folks at Zytrax are the actual authors, they're the
ones who will have to do the actual submission.
But again, nothing is going to happen without buy-in from other reviewers and
adoption into the published draft. I suspect that in its current form, no one
is going to back this idea though because it is fundamentally unsound.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/