RFC auxprop enhancement
Howard Chu
hyc at highlandsun.com
Sat Dec 17 14:40:58 EST 2005
The LDAP Password Policy spec crawls forward, providing a standard
mechanism for defining/enforcing password policies in LDAP. In OpenLDAP
we support password policies for Simple Binds (i.e. plaintext), but it
would be desirable to support it for other secret-based mechs as well.
This necessarily means we're talking about the auxprop API, since the
other available APIs also only support plaintext credentials.
I see two major limitations in the auxprop mechs themselves:
the _lookup function is a void, it cannot return any result codes. So
if we encounter an expiration or lockout status, there is no way to
convey it back to the caller.
there is no _authentication_done callback, so there is no way to
convey success/failure back to the mech. Which means there is no way to
perform failure counting, in support of a lockout policy.
It seems that there's no simple way to add this functionality without
significant changes to the entire library.
I'm wondering if (a) maybe I've overestimated the difficulty and (b) is
there interest in developing the necessary extensions?
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
More information about the Cyrus-sasl
mailing list