[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy - alternate lockout mechanism

To: Aravind Gottipati <aravind@freeshell.org>
Subject: Re: password policy - alternate lockout mechanism
From: Howard Chu <hyc@symas.com>
Date: Sun, 12 Jul 2009 21:40:56 -0700
Cc: openldap-software@openldap.org
In-reply-to: <a1348d630907122028k781dfbb0h6db3c441731e8e3c@mail.gmail.com>
References: <a1348d630901261702h2bc88204o2b21b549e18e936a@mail.gmail.com> <a1348d630901271107t2d5514b4t399c741bf7b00d6e@mail.gmail.com> <C65F80C878CCF24A9BC19646DE2DCA62021C0623@EXVG.fanniemae.com> <38622554-0C30-4C95-BCDB-9452FC24DA8B@OpenLDAP.org> <C65F80C878CCF24A9BC19646DE2DCA62021C0628@EXVG.fanniemae.com> <a1348d630901281315md8b28d2x51ff6a2b4b09f4aa@mail.gmail.com> <4980D453.3060808@symas.com> <C65F80C878CCF24A9BC19646DE2DCA62021C0655@EXVG.fanniemae.com> <4980EA31.8040500@symas.com> <C65F80C878CCF24A9BC19646DE2DCA62021C0658@EXVG.fanniemae.com> <a1348d630907122028k781dfbb0h6db3c441731e8e3c@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b5pre) Gecko/20090630 SeaMonkey/2.0a1pre Firefox/3.0.3

Aravind Gottipati wrote:

Hi,

This thread has been dead for some time now.  Here is the link to the
original thread and all the follow-up discussion
(http://www.openldap.org/lists/openldap-software/200901/msg00147.html).
  An ITS request (5911) was in place for the feature (looks like its
been closed since), Howard had suggested that these requests generally
get worked on as and when folks have time to implement them.

I closed that ITS because we viewed it as a security liability, not as afeature worthy of implementing. I think that conclusion was already clear fromthe earlier mailing list discussion.

In this case, we've done a fair bit of tweaks in the ppolicy code recently.Your suggestions were not missed due to lack of time, they were rejected dueto lack of technical merit.

We (at Mozilla) needed this feature to better support users in-house,
so we contracted the development out to Zytrax.  I am happy to inform
you that this code is now ready and works for us on both 2.4.13 and
2.4.16.  Here is the link
(http://www.zytrax.com/books/ldap/ch6/ppolicy.html) to the
documentation from Zytrax about how this feature works and also
contains links to download the code.  I am not sure how we'd go about
getting this code integrated into mainline OpenLDAP, but we would love
for this code to be a part of the regular OpenLDAP releases.  This
code plays nice with existing setups in that its features are turned
off by default and it behaves exactly as the original ppolicy module
does.

Generally, we implement features according to the published specs. If youbelieve this feature is valuable, you should push to have it included in thenext version of the ppolicy draft. I've been pushing for a few additionsrecently as well.


http://www.openldap.org/lists/ietf-ldapext/200907/msg00001.html

Please let me know if you have any questions about how this works or
if there are other concerns about including this in regular OpenLDAP
software releases.

Follow the Contributing guidelines if you want the code considered forinclusion. Of course since folks at Zytrax are the actual authors, they're theones who will have to do the actual submission.


http://www.openldap.org/devel/contributing.html

But again, nothing is going to happen without buy-in from other reviewers andadoption into the published draft. I suspect that in its current form, no oneis going to back this idea though because it is fundamentally unsound.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: password policy - alternate lockout mechanism
  - From: Howard Chu <hyc@symas.com>

References:
- Re: password policy - alternate lockout mechanism
  - From: Aravind Gottipati <aravind@freeshell.org>

Prev by Date: Re: password policy - alternate lockout mechanism
Next by Date: Re: password policy - alternate lockout mechanism
Index(es):
- Chronological
- Thread