[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Unfinished business: password policy and VLV

Kurt Zeilenga wrote:

I note that the ITU/ISO has been working on a X.500 Password Policy
mechanism, see<http://www.x500standard.com/index.php?
n=Ig.Extension>.  I would argue that if the IETF is to do anything in
the area of password policy standardization, it should consider simply
adapting the X.500 mechanism for use in LDAP.

I encourage those who have issue with the ITU/ISO proposal to comment
on the X.500 mailing list, see<http://www.x500standard.com/index.php?n=Participate.MailingList

I've sent an initial set of comments to the X.500 list. It seems that a number of the concerns you raised with the Behera spec are already addressed in their current draft. E.g., they at least mention the DOS problems with failure-based lockouts, providing policy state attributes for delaying instead of plain lockouts.

The X.500 draft also supports time-based password history limiting and grace logins, which looks good. It has some obvious flaws too, such as storing the pwdExpirationDate instead of just computing it from pwdChangedTime and pwdExpireAge.

In the meantime, whether we discuss this in the X.500 context or here, I'd like to add these features in addition to what has already been discussed:
   a) pwdStartDate - when the credential becomes valid
   b) pwdLastSuccess - date of the last successful authentication
c) pwdMaxIdle - interval after which account is locked if no successful auth occurs

And also an extended op "ExternalBind" for allowing external authentication providers to interact with the existing policy. I.e., this op will supply an LDAP username and a success/fail code to the directory server, and the server will execute the policy mechanisms accordingly. (E.g., if a Fail code is supplied then the failure time and any relevant lockouts are recorded.)

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
Ldapext mailing list