Re: [ldapext] draft-behera-ldap-password-policy - bind behaviour when pwd must be changed

[Michael Ströder <michael@stroeder.com>]

Andrew Sciberras wrote:
> > Michael Ströder wrote:
> >
> > BindRequest should fail. That's it.
>
> I really believe that the compare should fail as well.

Yes! Simply forgot that. Thanks for the reminder.

> I'm just saying that if a client does support the password policy control,
> then they MUST provide it. Otherwise the directory may make some incorrect
> assumptions about the client, which will lead to the password policy
> not being enforced normally. Eg. Bind failing due to pwdReset, instead of
> succeeding.

IMO "SHOULD provide it" and a short note will be sufficient here to make 
implementors aware of the issues.

If a LDAP client, which in principle supports password policy control, wants 
to behave really dumb for some good reason it should be allowed to do so 
even if it does not look reasonable to us now. It then simply behaves like 
any other dumb LDAP client out there.

Ciao, Michael.


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext