David Wilson wrote:
On Tue, 2009-07-14 at 17:35 -0700, Howard Chu wrote:Section 18.1.6: a) why is pwdQualityRule single-valued? Without an initial setof rules toserve as examples, it's difficult to evaluate the usefulness of this attribute. I would expect that multiple orthogonal rules will bedefined andthat a policy would allow combinations of these rules to be chosen.IMO thisattribute should be multi-valued and at least one or twoprototypical rulesneed to be part of the spec. As an example, a rule that validatestheplaintext of a password against a regular expression would beuseful. In thinking about what custom modules we've implemented for this in the past, I propose a couple rules for usage. First of all, assume that pwdQualityRule is multivalued, where each value defines a single type of rule, and a given password must pass every rule to be valid.I've been ruminating over this, and I'm not sure that a multi-valued attribute in each user's entry is what is needed.
I think you misunderstood somewhere; this attribute is part of the pwdPolicy subentry. It is not in each user's entry.
Another interesting debate is over the whole issue of password quality, as in: <http://www.usenix.org/event/hotsec07/tech/full_papers/florencio/florencio.pdf>
Yes... In some ways this may be a problem that is no longer in search of a solution...
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ ----- www.x500standard.com: The central source for information on the X.500 Directory Standard.