[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [ldapext] ppolicy questions
jay alvarez wrote:
Good day,
I have some questions regarding draft-behera-ldap-password-policy-08.txt.
1. Do you know if it has been standardized or updated yet?
Not yet. We've been discussing about the password policy at last IETF
and we need to collect information about the various implementations,
see if we can reach consensus on common set of features.
2.In pwdCheckQuality, it says it is still in TODO list..
Right now, pwdCheckQuality is an integer that tells whether quality of
the password must be checked or not. What quality means and how it's
configured is left to implementation.
Several persons have expressed the desire to have common definition for
password quality. We have not reached consensus on this subject.
Do you know how to enforce the minimum included characters like it
must have Upper, lower, number, special characters without
administrator intervention? Sure, I can use some random password
generation tools to enforce these requirements but I'm thinking a lot
of negative implications..
3. how does expiration warning shown to the user?? Let's say, I would
do an ldapsearch in the commandline and do a simple bind... it didn't
tell me if my password is about to expire even if I run it in verbose
mode..
ldapsearch would have to have support for the password policy controls.
Which ldapsearch tool did you use ?
4. What if in pwdMustChange, the user did not change his password
after initial bind or reset by administrator?? What will happen?? The
attribute explanation doesn't say anything about this....
Our implementation will reject any other operations on that connection.
5. How to send old pa! ssword when changing to a new
password(pwdSafeModify)??
I've looked into ldapmodify and found nothing about this.
My file looks like this:
dn: uid=jayson,ou=people,o=example,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}g/pfweYQQRtYFxVGwhn8xnCCEcY0rDTDQ
dn: uid=jayson,ou=people,o=example,dc=com
changetype: modify
delete: userPassword
userPassword: OldPassword
add: userPassword
userPassword: NewPassword
Or you could use the Password Modify Extended operation.
Regards,
Ludovic.
On ldapmodify operation, I got this error:
ldap_modify: Insufficient access (50)
additional info: Must supply old password to be changed as
well as new one
That's all for now, thanks!
-jay
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext
--
Ludovic Poitou Sun Microsystems Inc.
Software Architect Directory Server Group
http://blogs.sun.com/Ludo/ Grenoble, France
Sun Microsystems requires the following notice:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTICE: This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext