Re: [ldapext] ppolicy questions

Ludovic Poitou <Ludovic.Poitou@Sun.COM> Mon, 27 March 2006 01:41 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1FNgjp-0003nx-6r; Sun, 26 Mar 2006 20:41:45 -0500
Received: from [] ( by with esmtp (Exim 4.43) id 1FNgjo-0003nq-Pe for; Sun, 26 Mar 2006 20:41:44 -0500
Received: from ([]) by with esmtp (Exim 4.43) id 1FNgjn-0003Cw-Bu for; Sun, 26 Mar 2006 20:41:44 -0500
Received: from phys-gadget-1 ([]) by (8.12.10/8.12.9) with ESMTP id k2R1fg8u005319 for <>; Sun, 26 Mar 2006 18:41:42 -0700 (MST)
Received: from by (iPlanet Messaging Server 5.2 HotFix 1.24 (built Dec 19 2003)) id <> (original mail from Ludovic.Poitou@Sun.COM) for; Mon, 27 Mar 2006 02:41:42 +0100 (BST)
Received: from [] (vpn-129-150-33-71.Central.Sun.COM []) by (iPlanet Messaging Server 5.2 HotFix 1.24 (built Dec 19 2003)) with ESMTPA id <>; Mon, 27 Mar 2006 02:41:42 +0100 (BST)
Date: Mon, 27 Mar 2006 03:43:01 +0200
From: Ludovic Poitou <Ludovic.Poitou@Sun.COM>
Subject: Re: [ldapext] ppolicy questions
In-reply-to: <>
To: jay alvarez <>
Message-id: <>
Organization: Sun Microsystems Inc.
MIME-version: 1.0
Content-type: text/plain; charset=ISO-8859-1; format=flowed
Content-transfer-encoding: 7BIT
User-Agent: Thunderbird 1.5 (Windows/20051201)
References: <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cf3becbbd6d1a45acbe2ffd4ab88bdc2
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

jay alvarez wrote:
> Good day,
> I have some questions regarding draft-behera-ldap-password-policy-08.txt.
> 1. Do you know if it has been standardized or updated yet?
Not yet. We've been discussing about the password policy at last IETF 
and we need to collect information about the various implementations, 
see if we can reach consensus on common set of features.
> 2.In pwdCheckQuality, it says  it is still in TODO list..
Right now, pwdCheckQuality is an integer that tells whether quality of 
the password must be checked or not. What quality means and how it's 
configured is left to implementation.
Several persons have expressed the desire to have common definition for 
password quality. We have not reached consensus on this subject.

> Do you know how to enforce the minimum included characters like it 
> must have Upper, lower, number, special characters without 
> administrator intervention? Sure, I can use some random password 
> generation tools to enforce these requirements but I'm thinking a lot 
> of negative implications..
> 3. how does expiration warning shown to the user?? Let's say, I would 
> do an ldapsearch in the commandline and do a simple bind... it didn't 
> tell me if my password is about to expire even if I run it in verbose 
> mode..
ldapsearch would have to have support for the password policy controls. 
Which ldapsearch tool did you use ?
> 4. What if in pwdMustChange, the user did not change his password 
> after initial bind or reset by administrator?? What will happen?? The 
> attribute explanation doesn't say anything about this....

Our implementation will reject any other operations on that connection.
> 5. How to send old pa! ssword when changing to a new 
> password(pwdSafeModify)??
> I've looked into ldapmodify and found nothing about this.
> My file looks like this:
> dn: uid=jayson,ou=people,o=example,dc=com
> changetype: modify
> replace: userPassword
> userPassword: {SSHA}g/pfweYQQRtYFxVGwhn8xnCCEcY0rDTDQ
dn: uid=jayson,ou=people,o=example,dc=com
changetype: modify
delete: userPassword
userPassword: OldPassword
add: userPassword
userPassword: NewPassword

Or you could use the Password Modify Extended operation.



> On ldapmodify operation, I got this error:
> ldap_modify: Insufficient access (50)
>         additional info: Must supply old password to be changed as 
> well as new one
> That's all for now, thanks!
> -jay
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> ------------------------------------------------------------------------
> _______________________________________________
> Ldapext mailing list

Ludovic Poitou                                    Sun Microsystems Inc.
Software Architect                               Directory Server Group                             Grenoble, France

Sun Microsystems requires the following notice:
NOTICE:  This email message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution is prohibited.
If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.

Ldapext mailing list