You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@directory.apache.org by Dave Bartlett <Da...@MEDecision.com> on 2007/03/27 16:30:28 UTC
Questions...
I am evaluating LDAP implementations. I had a difficult time
determining if Apache Directory can perform some password policy
functions such as max and min characters in password, expiration days,
warning days before expiration, logon attempts, etc. In Apache
Directory would this be done through 'custom authenticators'?
Thank you,
db
Dave.Bartlett@medecision.com
610.540.0202 ext: 1449
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this message in error, please contact the sender and delete the material
from any computer.
Re: Questions...
Posted by Ersin Er <er...@gmail.com>.
On 3/27/07, Emmanuel Lecharny <el...@gmail.com> wrote:
> Hi Dave !
>
> On 3/27/07, Dave Bartlett <Da...@medecision.com> wrote:
> >
> > I am evaluating LDAP implementations. I had a difficult time
> > determining if Apache Directory can perform some password policy
> > functions such as max and min characters in password, expiration days,
> > warning days before expiration, logon attempts, etc.
>
>
> No, we didn't implemented password policies right now. But this is something
> we might do sooner or later.
>
> In Apache
> > Directory would this be done through 'custom authenticators'?
>
>
> Sure. This is not really the simpliest way to do it, but this is the way to
> go. We may think about other options, like triggers or Store procedures (we
> have both) to handle such policies. For instance, with Stored Procedures, we
> can check if the password is correct in regard with the given policy. The
> good point about SP is that it's basically a java class you simply store
> into the server, as any other Ldap element, so you don't have to rebuild the
> server.
Yes, an SP phsically is just a Java class with static methods stored
in the DIT. We have a SP caller extended operation but it's not the
matter in this context. Triggers track some operations and invoke SPs
on some scheduled time.
> Alex and Ersin, correct me if I'm wrong !
>
> Emmanuel
>
> Thank you,
> >
> > db
> >
> > Dave.Bartlett@medecision.com
> >
> > 610.540.0202 ext: 1449
> >
> >
> >
> > _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> > _
> >
> > The information transmitted is intended only for the person or entity to
> > which it is addressed and may contain confidential and/or privileged
> > material. Any review, retransmission, dissemination or other use of, or
> > taking of any action in reliance upon, this information by persons or
> > entities other than the intended recipient is prohibited. If you received
> > this message in error, please contact the sender and delete the material
> > from any computer.
> >
> >
>
>
> --
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>
--
Ersin
Re: Questions...
Posted by Alex Karasulu <ak...@apache.org>.
Hi,
On 3/27/07, Emmanuel Lecharny <el...@gmail.com> wrote:
>
> Hi Dave !
>
> On 3/27/07, Dave Bartlett <Da...@medecision.com> wrote:
> >
> > I am evaluating LDAP implementations. I had a difficult time
> > determining if Apache Directory can perform some password policy
> > functions such as max and min characters in password, expiration days,
> > warning days before expiration, logon attempts, etc.
>
>
> No, we didn't implemented password policies right now. But this is
> something
> we might do sooner or later.
>
> In Apache
> > Directory would this be done through 'custom authenticators'?
>
>
> Sure. This is not really the simpliest way to do it, but this is the way
> to
> go. We may think about other options, like triggers or Store procedures
> (we
> have both) to handle such policies. For instance, with Stored Procedures,
> we
> can check if the password is correct in regard with the given policy. The
> good point about SP is that it's basically a java class you simply store
> into the server, as any other Ldap element, so you don't have to rebuild
> the
> server.
>
> Alex and Ersin, correct me if I'm wrong !
This sounds like a valid way to implement it sure. Another option is to
centralize auth policy for the server
using some of the code already in the change password service by bringing it
into the core. This way all
services can benefit from this policy management module. It can be used to
validate password changes.
Triggers may do the work of initiating validation against a given policy
using the central policy manager.
We have a lot of things going on in this space. The work Ersin was doing
with that draft specification,
triggers, Enrique's work and the idea of centralizing a policy manager.
We just need someone to take the lead on this stuff. Perhaps Dave can help
us with that?
Alex
Re: Questions...
Posted by Emmanuel Lecharny <el...@gmail.com>.
Hi Dave !
On 3/27/07, Dave Bartlett <Da...@medecision.com> wrote:
>
> I am evaluating LDAP implementations. I had a difficult time
> determining if Apache Directory can perform some password policy
> functions such as max and min characters in password, expiration days,
> warning days before expiration, logon attempts, etc.
No, we didn't implemented password policies right now. But this is something
we might do sooner or later.
In Apache
> Directory would this be done through 'custom authenticators'?
Sure. This is not really the simpliest way to do it, but this is the way to
go. We may think about other options, like triggers or Store procedures (we
have both) to handle such policies. For instance, with Stored Procedures, we
can check if the password is correct in regard with the given policy. The
good point about SP is that it's basically a java class you simply store
into the server, as any other Ldap element, so you don't have to rebuild the
server.
Alex and Ersin, correct me if I'm wrong !
Emmanuel
Thank you,
>
> db
>
> Dave.Bartlett@medecision.com
>
> 610.540.0202 ext: 1449
>
>
>
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> _
>
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you received
> this message in error, please contact the sender and delete the material
> from any computer.
>
>
--
Cordialement,
Emmanuel Lécharny
www.iktek.com