[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy - alternate lockout mechanism



Aravind Gottipati wrote:
Hi,

This thread has been dead for some time now.  Here is the link to the
original thread and all the follow-up discussion
(http://www.openldap.org/lists/openldap-software/200901/msg00147.html).
  An ITS request (5911) was in place for the feature (looks like its
been closed since), Howard had suggested that these requests generally
get worked on as and when folks have time to implement them.

I closed that ITS because we viewed it as a security liability, not as a feature worthy of implementing. I think that conclusion was already clear from the earlier mailing list discussion.

In this case, we've done a fair bit of tweaks in the ppolicy code recently. Your suggestions were not missed due to lack of time, they were rejected due to lack of technical merit.

We (at Mozilla) needed this feature to better support users in-house,
so we contracted the development out to Zytrax.  I am happy to inform
you that this code is now ready and works for us on both 2.4.13 and
2.4.16.  Here is the link
(http://www.zytrax.com/books/ldap/ch6/ppolicy.html) to the
documentation from Zytrax about how this feature works and also
contains links to download the code.  I am not sure how we'd go about
getting this code integrated into mainline OpenLDAP, but we would love
for this code to be a part of the regular OpenLDAP releases.  This
code plays nice with existing setups in that its features are turned
off by default and it behaves exactly as the original ppolicy module
does.

Generally, we implement features according to the published specs. If you believe this feature is valuable, you should push to have it included in the next version of the ppolicy draft. I've been pushing for a few additions recently as well.

http://www.openldap.org/lists/ietf-ldapext/200907/msg00001.html

Please let me know if you have any questions about how this works or
if there are other concerns about including this in regular OpenLDAP
software releases.

Follow the Contributing guidelines if you want the code considered for inclusion. Of course since folks at Zytrax are the actual authors, they're the ones who will have to do the actual submission.

http://www.openldap.org/devel/contributing.html

But again, nothing is going to happen without buy-in from other reviewers and adoption into the published draft. I suspect that in its current form, no one is going to back this idea though because it is fundamentally unsound.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/