Apache Directory Project - [jira] Commented: (DIRSERVER-899) Support centralized password

This is Interesting: Free IT Magazines  
Home > Archive > Apache Directory Project > May 2007 > [jira] Commented: (DIRSERVER-899) Support centralized password





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author [jira] Commented: (DIRSERVER-899) Support centralized password
Enrique Rodriguez (JIRA)

2007-05-10, 7:11 pm


[ https://issues.apache.org/jira/brow...action_12494827 ]

Enrique Rodriguez commented on DIRSERVER-899:
---------------------------------------------

The code I had in Change Password, which I just converted to an interceptor, overlaps the LDAP password policy draft in the area of "password quality," a subset of the draft that covers character mix, password length, and "disallowing anagrams of the user
's name." Put another way, I didn't implement anything that required storage, such as password history and expiration time. The LDAP draft is comprehensive and a good idea for a new feature.

I think we'll need to support pluggable policies, since enterprise requirements in this area can vary greatly. There are also competing schema, such as the draft RFC for a Kerberos schema, which has its own schema for password policy. The relevant secti
on is 4.11 in:

http://mailman.mit.edu/pipermail/kd...ema-01-0001.txt

4.11 krbPwdPolicy

The krbPwdPolicy object is a template password policy that can be
applied to principals when they are created. These policy attributes
will be in effect, when the Kerberos passwords are different from
directory passwords.

Definition:
( IANA-ASSIGNED-OID.6.11
NAME 'krbPwdPolicy'
SUP ( top )
STRUCTURAL
MUST ( cn )
MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $
krbPwdMinLength $ krbPwdHistoryLength $ krbPolicyRefCount ))


> Support centralized password policy enforcement
> -----------------------------------------------
>
> Key: DIRSERVER-899
> URL: https://issues.apache.org/jira/browse/DIRSERVER-899
> Project: Directory ApacheDS
> Issue Type: Improvement
> Components: changepw, core
> Reporter: Enrique Rodriguez
> Assigned To: Enrique Rodriguez
> Priority: Minor
> Fix For: 1.5.2
>
>
> Currently, password policy is not applied centrally, let alone per "realm" or subtree/subtree refinement. The Change Password protocol provider enforces a best-practice password policy. However, this is bypassed during other password sets, such as dur
ing LDIF load or LDAP add and modify operations.
> Password policy enforcement should move to the core, for reuse by other mechanisms for password changes.
> Password policy is currently enforced in the CheckPasswordPolicy IoHandlerCommand.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com