Re: [ldapext] Re: Password Policy for LDAP Directories

[Andrew Sciberras <andrew.sciberras@eB2Bcom.com>]

Hi Niel,


Neil Dunbar wrote:
<SNIP>
> The pwdMaxAge should be the absolute maximum time that the password can
> be used by anyone as a credential. The pwdExpirationWarning time, I
> think, should be the earliest opportunity that the directory server can
> warn the user that his/her password is approaching expiry. If the user
> comes into the expiry period late in the game - tough. You can always
> use the grace logins feature to allow the user with the dud password to
> change it after it has ceased to be a meaningful credential for general
> directory operations 
</SNIP>


If someone was to implement the draft in its current form, their first 
warning time would indicate the time difference between the current time 
and the time that the password is due to expire. Subsequent logins would 
result in a warning time that will go beyond the specified pwdMaxAge 
allowing the user to receive their full warning period.

Our implementation, which was based around the -05 version of the draft 
handled this inconsistency by returning an initial warning message of 
pwdExpireWarning.

I've now noticed, in version -07 of the draft, that the following new 
line exists within the description of pwdExpireWarning:
If not 0, the value must be smaller than the value of the pwdMaxAge 
attribute.

This seriously implies that the author's intention is to ensure that the 
warning time does not exceed the maximum age of the password.

I'm not extremely passionate about whether a user should receive their 
full warning period. Some consensus on this issue, and the author's 
opinion (Jim?) would be good though.


Andrew Sciberras
eB2Bcom - Software Engineer

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext