[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Defining a password attributetype

To: Buchan Milne <bgmilne@staff.telkomsa.net>
Subject: Re: Defining a password attributetype
From: Michael Ströder <michael@stroeder.com>
Date: Mon, 06 Sep 2010 22:06:19 +0200
Cc: Rob Tanner <rtanner@linfield.edu>, openldap-technical@openldap.org
In-reply-to: <201009060849.21044.bgmilne@staff.telkomsa.net>
References: <C8A66B6B.60C69%rtanner@linfield.edu> <4C813DBD.2050600@stroeder.com> <201009060849.21044.bgmilne@staff.telkomsa.net>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100825 Lightning/1.0b1 SeaMonkey/2.0.7

Buchan Milne wrote:
> On Friday, 3 September 2010 19:26:05 Michael Ströder wrote:
>> IMO that's bad practice. When doing a password reset you should set a
>> random value in userPassword together with password expiration attribute
>> (slapo-ppolicy).
> 
> IMHO, the correct attribute to set would have been pwdReset, but unfortunately 
> there is no way to enforce users to reset their passwords in applications that 
> don't support ppolicy (as users won't get locked out if they just keep using 
> the temporary password).
> 
> I think I sent feedback to Howard on the new ppolicy draft about this ...

The original poster wrote about a custom web-based password app anyway. So
this would not be a problem in his case.

Additionally the password expiration should be set to a reasonable short
time-frame. Just in case someone intercepts the password reset message with
the temporary password.

Ciao, Michael.

References:
- Re: Defining a password attributetype
  - From: Rob Tanner <rtanner@linfield.edu>
- Re: Defining a password attributetype
  - From: Michael Ströder <michael@stroeder.com>
- Re: Defining a password attributetype
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: Can't start replication
Next by Date: search with (uidNumber>=1900) got "text: inappropriate matching request"
Index(es):
- Chronological
- Thread