[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] Unfinished business: password policy and VLV

To: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>
Subject: Re: [ldapext] Unfinished business: password policy and VLV
From: Howard Chu <hyc@highlandsun.com>
Date: Mon, 06 Jul 2009 17:35:55 -0700
Cc: ldapext@ietf.org
Delivered-to: ldapext@core3.amsl.com
In-reply-to: <E263270E-E8AC-4245-829A-BA98882655D8@Isode.com>
References: <OFA71CDB2F.9614DC09-ON852573EC.0069861C-852573EC.006BDD73@us.ibm.com> <4A4EC639.3070706@highlandsun.com> <E263270E-E8AC-4245-829A-BA98882655D8@Isode.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b5pre) Gecko/20090630 SeaMonkey/2.0a1pre Firefox/3.0.3

Kurt Zeilenga wrote:

Howard,

I note that the ITU/ISO has been working on a X.500 Password Policy
mechanism, see<http://www.x500standard.com/index.php?
n=Ig.Extension>.  I would argue that if the IETF is to do anything in
the area of password policy standardization, it should consider simply
adapting the X.500 mechanism for use in LDAP.

I encourage those who have issue with the ITU/ISO proposal to comment
on the X.500 mailing list, see<http://www.x500standard.com/index.php?n=Participate.MailingList
  >.

I've sent an initial set of comments to the X.500 list. It seems that a numberof the concerns you raised with the Behera spec are already addressed in theircurrent draft. E.g., they at least mention the DOS problems with failure-basedlockouts, providing policy state attributes for delaying instead of plainlockouts.

The X.500 draft also supports time-based password history limiting and gracelogins, which looks good. It has some obvious flaws too, such as storing thepwdExpirationDate instead of just computing it from pwdChangedTime andpwdExpireAge.

In the meantime, whether we discuss this in the X.500 context or here, I'dlike to add these features in addition to what has already been discussed:

   a) pwdStartDate - when the credential becomes valid
   b) pwdLastSuccess - date of the last successful authentication

c) pwdMaxIdle - interval after which account is locked if no successfulauth occurs

And also an extended op "ExternalBind" for allowing external authenticationproviders to interact with the existing policy. I.e., this op will supply anLDAP username and a success/fail code to the directory server, and the serverwill execute the policy mechanisms accordingly. (E.g., if a Fail code issupplied then the failure time and any relevant lockouts are recorded.)


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www.ietf.org/mailman/listinfo/ldapext

References:
- Re: [ldapext] Unfinished business: password policy and VLV
  - From: Howard Chu <hyc@highlandsun.com>
- Re: [ldapext] Unfinished business: password policy and VLV
  - From: Kurt Zeilenga <Kurt.Zeilenga@Isode.com>

Prev by Date: Re: [ldapext] Unfinished business: password policy and VLV
Next by Date: Re: [ldapext] Unfinished business: password policy and VLV
Index(es):
- Chronological
- Thread