On 10/04/2017 01:57 PM, Shawn McKinney wrote:
On Oct 4, 2017, at 2:25 AM, Radovan Semancik <[email protected]>
wrote:
The problem is that there is no standard way how to disable a user in LDAP.
Some LDAP servers have proprietary attributes for this. And some servers (such
as OpenLDAP) have no good way to do this at all. Therefore there the studio has
to support many algorithms and it may even need custom extensions to support
this properly.
I wouldn’t characterize adherence to an expired IETF draft — proprietary. The
main problem is LDAPv3 doesn’t include pw policies and the communities (us)
have never bothered to ratify an extension as standard.
Password expiration/disable is quite different from account disable.
E.g. even if password is expired/disabled then the user can still log in
using non-password authentication scheme, such as SSH keys on a UNIX
system. Which is a big problem. Password might not be used at all for
some usecases (e.g. X.509-based auth or federation) so there is no
password policy that could be used. But account disable is usually still
needed. Account disable should prohibit any authentication, regardless
of the authentication method. And that is something that OpenLDAP does
not have. Most other servers have it, although the mechanism is
proprietary. This is getting really important with all that
multi-factor, adaptive and token-based authentication schemes. But as
far as I know there is no good solution for this in LDAP. There is no
standard for LDAP account disable. Not even an expired one. (But please
correct me if I'm wrong. I looked for that, but I might have overlooked
something.)
Therefore this means that in practice the disable mechanism is
implemented (read: worked around) by using various creative ways (read:
hacks). There is no single unified way that works for everybody. Not
even for majority of cases. It is different for every deployment.
--
Radovan Semancik
Software Architect
evolveum.com
