Re: PasswordPolicy review

Thu, 29 Sep 2022 07:57:47 -0700 


> On Sep 29, 2022, at 8:11 AM, Emmanuel Lécharny <[email protected]> wrote:
> 
>>> * It's mentionned that some PasswordPolicies may be defined as subentries, 
>>> and we may even define some administrativeRole to define the part of the 
>>> DIT that is subject to this subentry. Again, a first implementation should 
>>> focus on having the global PasswordPolicy working. Defining an 
>>> AdminsitrativeRole induce some complexity that I'd rather move away atm.
>> Just a few words in favor of this. For example, min age.  When a user entry 
>> is created, they may need an admin reset.  If the min age is long duration 
>> the admin will be prevented.`
> 
> I'm nut sure I get what you mean... I don't see a valid reason to do an admin 
> reset when a user is created. Admin will create the user, and we may have a 
> request for the user to change its password, but it may be unrelated to what 
> you wrote. What is the min age has to do with the fact we don't implement 
> administrativeRoles ?
> 
> VCan you clarify?

Let’s take an example pw policy:

  - name: default
    sn: 'default'
    cn: 'default'
    description: 'test ppolicy'
    pwdAttribute: userPassword
    pwdAllowUserChange: 'TRUE'
    pwdSafeModify: 'FALSE'
    pwdInHistory: 5
    pwdCheckQuality: 2
    pwdMinLength: 6
    pwdMinAge: 86400
    pwdExpireWarning: 2880
    pwdGraceAuthNLimit: 0
    pwdLockout: 'TRUE'
    pwdFailureCountInterval: 600
    pwdMustChange: 'FALSE'
    pwdLockoutDuration: 300
    pwdMaxFailure: 5
    pwdMaxAge: 94608000

Which is set as the default for the directory.

Here the minAge is set to 1 day.  Next we create a user entry via some 
automatic mechanism.  For whatever reason the new user doesn’t know the 
password and requests a reset before 1 day has elapsed.  So, the admin attempts 
a pw reset but can’t b/c the min age has not expired.

With admin roles, the administrator is subjected to a different pw policy on 
the user’s entry. Presumably one that doesn’t have the min age restriction.

Hope this makes sense.

—
Shawn


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]























					Reply via email to