RFC auxprop enhancement
Alexey Melnikov
alexey.melnikov at isode.com
Sat Dec 17 16:39:39 EST 2005
Howard Chu wrote:
> The LDAP Password Policy spec crawls forward, providing a standard
> mechanism for defining/enforcing password policies in LDAP. In
> OpenLDAP we support password policies for Simple Binds (i.e.
> plaintext), but it would be desirable to support it for other
> secret-based mechs as well. This necessarily means we're talking about
> the auxprop API, since the other available APIs also only support
> plaintext credentials.
>
> I see two major limitations in the auxprop mechs themselves:
> the _lookup function is a void, it cannot return any result codes.
> So if we encounter an expiration or lockout status, there is no way to
> convey it back to the caller.
> there is no _authentication_done callback, so there is no way to
> convey success/failure back to the mech. Which means there is no way
> to perform failure counting, in support of a lockout policy.
>
> It seems that there's no simple way to add this functionality without
> significant changes to the entire library.
>
> I'm wondering if (a) maybe I've overestimated the difficulty
I don't think you do. However I would like to note that the changes can
be done incrementally: change the lookup function to return value, then
update plugins.
> and (b) is there interest in developing the necessary extensions?
Yes.
More information about the Cyrus-sasl
mailing list