RFC auxprop enhancement

Alexey Melnikov alexey.melnikov at isode.com
Sat Dec 17 16:39:39 EST 2005


Howard Chu wrote:

> The LDAP Password Policy spec crawls forward, providing a standard 
> mechanism for defining/enforcing password policies in LDAP. In 
> OpenLDAP we support password policies for Simple Binds (i.e. 
> plaintext), but it would be desirable to support it for other 
> secret-based mechs as well. This necessarily means we're talking about 
> the auxprop API, since the other available APIs also only support 
> plaintext credentials.
>
> I see two major limitations in the auxprop mechs themselves:
>   the _lookup function is a void, it cannot return any result codes. 
> So if we encounter an expiration or lockout status, there is no way to 
> convey it back to the caller.
>   there is no _authentication_done callback, so there is no way to 
> convey success/failure back to the mech. Which means there is no way 
> to perform failure counting, in support of a lockout policy.
>
> It seems that there's no simple way to add this functionality without 
> significant changes to the entire library.
>
> I'm wondering if (a) maybe I've overestimated the difficulty

I don't think you do. However I would like to note that the changes can 
be done incrementally: change the lookup function to return value, then 
update plugins.

> and (b) is there interest in developing the necessary extensions?

Yes.



More information about the Cyrus-sasl mailing list