[jira] Commented: (DIRSERVER-899) Support centralized password policy enforcement

[Enrique Rodriguez (JIRA)]

    [ 
https://issues.apache.org/jira/browse/DIRSERVER-899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12494827
 ] 

Enrique Rodriguez commented on DIRSERVER-899:
---------------------------------------------

The code I had in Change Password, which I just converted to an interceptor, 
overlaps the LDAP password policy draft in the area of "password quality," a 
subset of the draft that covers character mix, password length, and 
"disallowing anagrams of the user's name."  Put another way, I didn't implement 
anything that required storage, such as password history and expiration time.  
The LDAP draft is comprehensive and a good idea for a new feature.

I think we'll need to support pluggable policies, since enterprise requirements 
in this area can vary greatly.  There are also competing schema, such as the 
draft RFC for a Kerberos schema, which has its own schema for password policy.  
The relevant section is 4.11 in:

http://mailman.mit.edu/pipermail/kdc-schema/attachments/20060803/caceb865/draft-rajasekaran-kerberos-ldap-schema-01-0001.txt

4.11  krbPwdPolicy

   The krbPwdPolicy object is a template password policy that can be
   applied to principals when they are created.  These policy attributes
   will be in effect, when the Kerberos passwords are different from
   directory passwords.

   Definition:
      ( IANA-ASSIGNED-OID.6.11
      NAME 'krbPwdPolicy'
      SUP ( top )
      STRUCTURAL
      MUST ( cn )
      MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $
      krbPwdMinLength $ krbPwdHistoryLength $ krbPolicyRefCount ))


> Support centralized password policy enforcement
> -----------------------------------------------
>
>                 Key: DIRSERVER-899
>                 URL: https://issues.apache.org/jira/browse/DIRSERVER-899
>             Project: Directory ApacheDS
>          Issue Type: Improvement
>          Components: changepw, core
>            Reporter: Enrique Rodriguez
>         Assigned To: Enrique Rodriguez
>            Priority: Minor
>             Fix For: 1.5.2
>
>
> Currently, password policy is not applied centrally, let alone per "realm" or 
> subtree/subtree refinement.  The Change Password protocol provider enforces a 
> best-practice password policy.  However, this is bypassed during other 
> password sets, such as during LDIF load or LDAP add and modify operations.
> Password policy enforcement should move to the core, for reuse by other 
> mechanisms for password changes.
> Password policy is currently enforced in the CheckPasswordPolicy 
> IoHandlerCommand.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.