[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Password Policy for LDAP Directories
- To: ietf-ldapbis@OpenLDAP.org
- Subject: Password Policy for LDAP Directories
- From: Gabriele Garuglieri <gabriele.garuglieri@infoblu.it>
- Date: Thu, 09 Sep 2004 13:58:17 +0200
- Organization: Infoblu spa
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040803
I 'm writing some java classes that are dealing with
PasswordPolicyResponseValue and i'm having some doubts about the Behera
draft. I'd be glad if someone could clarify the points that follow these
two quotes from Behera draft:
-------
4.3.4 pwdExpirationWarned
This attribute contains the time when the password expiration
warning was first sent to the client. The password will expire in
the pwdExpireWarning time.
-------
D. Calculates whether the time before expiration warning should
be sent.
If the pwdExpireWarning attribute is present and contains a
value, the server MUST perform the following steps.
If the pwdExpirationWarned attribute is present and has a
time value, the warning time is the value of the
pwdExpirationWarned attribute plus the value of the
pwdExpireWarning attribute minus the current time.
If the pwdExpirationWarned attribute is not present, the
server MUST subtract the current time from the time stored
in pwdChangedTime to arrive at the password's age. If the
age is greater than the value of the pwdMaxAge attribute
minus the value of the pwdExpireWarning attribute, the
server MUST set the current time as the value of the
pwdExpirationWarned attribute, and the warning time is the
value of pwdMaxAge minus the password's age.
-------
Reading the above i come to the following assumptions, please correct
me if they are wrong:
1- the password will expire at (pwdExpirationWarned plus
pwdExpireWarning) date.
2- the first time i bind within the warning period, when the
pwdExpirationWarned is not yet initialized, the calculated warning time
is equal to (pwdChangedTime plus pwdMaxAge) minus current time.
3- the second time i bind within the warning period, when the
pwdExpirationWarned is already initialized, the calculated warning time
is equal to (pwdExpirationWarned plus pwdExpireWarning) minus current
time, which is a a value surely larger than the one calculated during
the first bind.
The last two points have the following implications:
4- if i calculate the expiration date using the returned warning time i
obtain two different values between first and any subsequent bind within
the warning period, which i think is not very consistent.
5- the real expiration date can be extended well beyond the
(pwdChangedTime plus pwdMaxAge), depending on when i first bind during
the warning period, almost up to (pwdChangedTime plus pwdMaxAge plus
pwdExpireWarning) if my fist bind within the warning period falls within
the last usable second of (pwdChangedTime plus pwdMaxAge) time.
Last but least, i'm experimenting with Tivoli Directory server 5.1,
whose behaviour seems to be happily ignoring all of the above, because
the returned warning time, independently from any pwdExpirationWarned
value, is ALWAYS (pwdChangedTime plus pwdMaxAge) minus current time.
Can, please, someone shed some light on the correct Behera draft meaning?
Thanks, Gabriele.