RFC auxprop enhancement

Mon Dec 19 05:04:25 EST 2005

Pierangelo Masarati wrote:

>>Howard Chu wrote:
>>
>>    
>>
>>>The LDAP Password Policy spec crawls forward, providing a standard
>>>mechanism for defining/enforcing password policies in LDAP. In
>>>OpenLDAP we support password policies for Simple Binds (i.e.
>>>plaintext), but it would be desirable to support it for other
>>>secret-based mechs as well. This necessarily means we're talking about
>>>the auxprop API, since the other available APIs also only support
>>>plaintext credentials.
>>>
>>>I see two major limitations in the auxprop mechs themselves:
>>>  the _lookup function is a void, it cannot return any result codes.
>>>So if we encounter an expiration or lockout status, there is no way to
>>>convey it back to the caller.
>>>  there is no _authentication_done callback, so there is no way to
>>>convey success/failure back to the mech. Which means there is no way
>>>to perform failure counting, in support of a lockout policy.
>>>
>>>It seems that there's no simple way to add this functionality without
>>>significant changes to the entire library.
>>>
>>>I'm wondering if (a) maybe I've overestimated the difficulty
>>>      
>>>
>>I don't think you do. However I would like to note that the changes can
>>be done incrementally: change the lookup function to return value, then
>>update plugins.
>>
>>    
>>
>>>and (b) is there interest in developing the necessary extensions?
>>>      
>>>
>>Yes.
>>    
>>
>
>Howard, Alexey,
>
>encouraged by your comments I've started looking in detail at the code
>and, based on our early discussion, I think the difficulty will not that
>hard.  I think we can split the activity in the following steps:
>
>1) add a return value to auxprop_lookup() and _sasl_auxprop_lookup(), set
>it from inside the lib and the plugins, and use it inside the lib;
>
>2) add an (optional) auxprop_done() hook, and call it consistently from
>inside the lib.
>  
>
I am not sure that #2 is required, if the change #1 is done everywhere.

>This is all with SASL; then
>
>3) determine cases in which a direct searches for the password attribute
>should be considered authentication attempts, and act on draft-behera
>accordingly (this requires moving dicussion to the lbapbis at ietf.org list,
>as it is off-topic here
>  
>
>4) modify te ldapdb auxprop plugin so that it exploits the auxprop_done()
>call;
>
>5) modify the ldapdb auxprop so that it supports the ppolicy control.
>  
>
Also keep in mind that I have tons of changes to the Howard's LDAPDB 
plugin, so let me know first if you want to change anything in it.

>I'm preparing two patches for submission to Cyrus SASL, one for point (1),
>which could be of benefit for other mechs as well, and one (conditional on
>the existence of ppolicy support in the LDAP library) for point (5), which
>should be considered only as an example of how it could be implemented,
>since currently the support for ppolicy in OpenLDAP (as of draft-behera)
>doesn't consider searches yet).
>
>I'll submit the two patches separately for initial review by Cyrus SASL
>later on, when I get to a better performing connection :).  Right now, I
>consider them little more that a basis for further discussion.
>  
>