[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: [ldapext] draft-behera-ldap-password-policy - bind behavior w hen pwd must be changed
Hi,
I agree with John. The draft should distinguish between clients which
provides the password policy request control and clients which don't support
this.
other comments inline.
> -----Original Message-----
> From: Dejan Muhamedagic [mailto:dejan@hello-penguin.com]
> Sent: Wednesday, November 19, 2003 4:00 PM
> To: John McMeeking
> Cc: ldapext@ietf.org
> Subject: Re: [ldapext] draft-behera-ldap-password-policy -
> bind behavior when pwd must be changed
>
>
> John,
>
> On Wed, Nov 19, 2003 at 08:13:42AM -0600, John McMeeking wrote:
> >
> [snip]
> >
> > What I feel is lacking in the draft is the distinction between a
> > client that provides the password policy request control
> and a client
> > that does not.
> > - If no password policy control is present, a bind with a reset
> > password should fail
> > - If a password policy is present, a bind with a reset
> password should
> > succeed with a reponse control returned as is currently
> stated in the
> > draft.
>
> How can LDAP server tell if the client supports password
> policy or not? All it knows is that they want to bind.
>
> I agree that the security policy should be enforced at the
> server and not at the client, but in this case we have no
> means to do that without "breaking" clients which don't know
> how to read the policy.
the LDAPserver can publish the control in the ROOT by supported controls.
the Ldapclient should not read the Password policy.
Helmut
>
> Cheers,
>
> Dejan
>
> _______________________________________________
> Ldapext mailing list
> Ldapext@ietf.org
> https://www1.ietf.org/mailman/listinfo/ldapext
>
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext