directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: Questions...
Date Tue, 27 Mar 2007 14:49:38 GMT
Hi,

On 3/27/07, Emmanuel Lecharny <elecharny@gmail.com> wrote:
>
> Hi Dave !
>
> On 3/27/07, Dave Bartlett <Dave.Bartlett@medecision.com> wrote:
> >
> > I am evaluating LDAP implementations.  I had a difficult time
> > determining if Apache Directory can perform some password policy
> > functions such as max and min characters in password, expiration days,
> > warning days before expiration, logon attempts, etc.
>
>
> No, we didn't implemented password policies right now. But this is
> something
> we might do sooner or later.
>
> In Apache
> > Directory would this be done through 'custom authenticators'?
>
>
> Sure. This is not  really the simpliest way to do it, but this is the way
> to
> go. We may think about other options, like triggers or Store procedures
> (we
> have both) to handle such policies. For instance, with Stored Procedures,
> we
> can check if the password is correct in regard with the given policy. The
> good point about SP is that it's basically a java class you simply store
> into the server, as any other Ldap element, so you don't have to rebuild
> the
> server.
>
> Alex and Ersin, correct me if I'm wrong !


This sounds like a valid way to implement it sure.  Another option is to
centralize auth policy for the server
using some of the code already in the change password service by bringing it
into the core.  This way all
services can benefit from this policy management module.  It can be used to
validate password changes.

Triggers may do the work of initiating validation against a given policy
using the central policy manager.

We have a lot of things going on in this space.  The work Ersin was doing
with that draft specification,
triggers, Enrique's work and the idea of centralizing a policy manager.

We just need someone to take the lead on this stuff.  Perhaps Dave can help
us with that?

Alex

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message