RFC auxprop enhancement

Howard Chu hyc at highlandsun.com
Sat Dec 17 14:40:58 EST 2005


The LDAP Password Policy spec crawls forward, providing a standard 
mechanism for defining/enforcing password policies in LDAP. In OpenLDAP 
we support password policies for Simple Binds (i.e. plaintext), but it 
would be desirable to support it for other secret-based mechs as well. 
This necessarily means we're talking about the auxprop API, since the 
other available APIs also only support plaintext credentials.

I see two major limitations in the auxprop mechs themselves:
   the _lookup function is a void, it cannot return any result codes. So 
if we encounter an expiration or lockout status, there is no way to 
convey it back to the caller.
   there is no _authentication_done callback, so there is no way to 
convey success/failure back to the mech. Which means there is no way to 
perform failure counting, in support of a lockout policy.

It seems that there's no simple way to add this functionality without 
significant changes to the entire library.

I'm wondering if (a) maybe I've overestimated the difficulty and (b) is 
there interest in developing the necessary extensions?

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list