From benjamin.chang@oracle.com Mon Aug 28 21:36:48 2017
From: benjamin.chang@oracle.com
To: openldap-bugs@openldap.org
Subject: Re: (ITS#8701) account usability control for password less logins
Date: Mon, 28 Aug 2017 21:36:46 +0000
Message-ID: <E1dmRiA-0002MB-PW@gauss.openldap.net>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5883078743747301645=="

--===============5883078743747301645==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

This is a multi-part message in MIME format.
--------------6CCE37E19DCAC5B8EF15AF2F
Content-Type: text/plain; charset=3Dutf-8; format=3Dflowed
Content-Transfer-Encoding: 7bit

Please disregard the previous workaround proposal, it was incorrect. The=20
corrected workaround proposal:

The idea is to determine the account/password state on the client side=20
(since there's no easy way to get the server to provide the state=20
without using the user's password). This was accomplished in a prototype=20
by retrieving the /pwdPolicySubentry/, the policy setting, other=20
operational attributes such as /pwdChangedTime/, /pwdAccountLockedTime/,=20
/pwdFailureTime/, and /pwdGraceUseTime/. These were used to determine=20
the account/password state.

Is this reasonable and safe to do?


On 08/02/2017 07:31 AM, Ben Chang wrote:
> Question about a proposed workaround:
>
> Would it be possible to use slapo-ppolicy to set the pwdPolicySubentry=20
> attribute for each user to provide the desired=20
> 1.3.6.1.4.1.42.2.27.9.5.8 control response (see=20
> http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control),=20
> i.e., can pwdPolicySubentry be used supply the sub-entry and related=20
> operational attributes needed to validate users for password-less logins?
>


--------------6CCE37E19DCAC5B8EF15AF2F
Content-Type: text/html; charset=3Dutf-8
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8">
  </head>
  <body text=3D"#000000" bgcolor=3D"#FFFFFF">
    <p>Please disregard the previous workaround proposal, it was
      incorrect. The corrected workaround proposal:</p>
    <p> The idea is to determine the account/password state on the
      client side (since there's no easy way to get the server to
      provide the state without using the user's password). This was
      accomplished in a prototype by retrieving the <i>pwdPolicySubentry</i>,
      the policy setting, other operational attributes such as <i>pwdChangedT=
ime</i>,
      <i>pwdAccountLockedTime</i>, <i>pwdFailureTime</i>, and <i>pwdGraceUseT=
ime</i>.
      These were used to determine the account/password state.</p>
    <p>Is this reasonable and safe to do? </p>
    <br>
    <div class=3D"moz-cite-prefix">On 08/02/2017 07:31 AM, Ben Chang
      wrote:<br>
    </div>
    <blockquote type=3D"cite"
      cite=3D"mid:52bb394d-41f9-746e-28d9-200370b94fbe(a)oracle.com">Question
      about a proposed workaround:
      <br>
      <br>
      Would it be possible to use slapo-ppolicy to set the
      pwdPolicySubentry attribute for each user to provide the desired
      1.3.6.1.4.1.42.2.27.9.5.8 control response (see
      <a class=3D"moz-txt-link-freetext" href=3D"http://ldapwiki.com/wiki/Acc=
ount%20Usability%20Request%20Control">http://ldapwiki.com/wiki/Account%20Usab=
ility%20Request%20Control</a>),
      i.e., can pwdPolicySubentry be used supply the sub-entry and
      related operational attributes needed to validate users for
      password-less logins?
      <br>
      <br>
    </blockquote>
    <br>
  </body>
</html>

--------------6CCE37E19DCAC5B8EF15AF2F--




--===============5883078743747301645==--