[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: krb5PrincipalName and userPassword

To: Turbo Fredriksson <turbo@bayour.com>, openldap-software@openldap.org
Subject: Re: krb5PrincipalName and userPassword
From: Quanah Gibson-Mount <quanah@zimbra.com>
Date: Fri, 07 Sep 2007 14:29:37 -0700
Content-disposition: inline
In-reply-to: <87ps0upkjq.fsf@pumba.bayour.com>
References: <87ps0upkjq.fsf@pumba.bayour.com>

--On Friday, September 07, 2007 5:22 PM +0200 Turbo Fredriksson <turbo@bayour.com> wrote:

Is it possible to apply the ppolicy on SASL binds?

I suggest you sit down and really think about this for a little bit. SASL/GSSAPI binds already know that the user has authenticated, all that is happening when talking to LDAP is the authorization part. If you want the same sort of restrictions password wise when dealing with SASL/GSSAPI, then fix your policies at the KDC. There is no way ppolicy can know how to deal with KDC password policies, since the password request *doesn't go through the LDAP server at a protocol level*.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration

References:
- krb5PrincipalName and userPassword
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: UserPassword attribute problem using Crypt
Next by Date: Re: krb5PrincipalName and userPassword
Index(es):
- Chronological
- Thread