This is a multi-part message in MIME format. --------------6CCE37E19DCAC5B8EF15AF2F Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit
Please disregard the previous workaround proposal, it was incorrect. The corrected workaround proposal:
The idea is to determine the account/password state on the client side (since there's no easy way to get the server to provide the state without using the user's password). This was accomplished in a prototype by retrieving the /pwdPolicySubentry/, the policy setting, other operational attributes such as /pwdChangedTime/, /pwdAccountLockedTime/, /pwdFailureTime/, and /pwdGraceUseTime/. These were used to determine the account/password state.
Is this reasonable and safe to do?
On 08/02/2017 07:31 AM, Ben Chang wrote:
Question about a proposed workaround:
Would it be possible to use slapo-ppolicy to set the pwdPolicySubentry attribute for each user to provide the desired 1.3.6.1.4.1.42.2.27.9.5.8 control response (see http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control), i.e., can pwdPolicySubentry be used supply the sub-entry and related operational attributes needed to validate users for password-less logins?
--------------6CCE37E19DCAC5B8EF15AF2F Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 7bit
<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body text="#000000" bgcolor="#FFFFFF"> <p>Please disregard the previous workaround proposal, it was incorrect. The corrected workaround proposal:</p> <p> The idea is to determine the account/password state on the client side (since there's no easy way to get the server to provide the state without using the user's password). This was accomplished in a prototype by retrieving the <i>pwdPolicySubentry</i>, the policy setting, other operational attributes such as <i>pwdChangedTime</i>, <i>pwdAccountLockedTime</i>, <i>pwdFailureTime</i>, and <i>pwdGraceUseTime</i>. These were used to determine the account/password state.</p> <p>Is this reasonable and safe to do? </p> <br> <div class="moz-cite-prefix">On 08/02/2017 07:31 AM, Ben Chang wrote:<br> </div> <blockquote type="cite" cite="mid:52bb394d-41f9-746e-28d9-200370b94fbe@oracle.com">Question about a proposed workaround: <br> <br> Would it be possible to use slapo-ppolicy to set the pwdPolicySubentry attribute for each user to provide the desired 1.3.6.1.4.1.42.2.27.9.5.8 control response (see <a class="moz-txt-link-freetext" href="http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control">http://ldapwiki.com/wiki/Account%20Usability%20Request%20Control</a>), i.e., can pwdPolicySubentry be used supply the sub-entry and related operational attributes needed to validate users for password-less logins? <br> <br> </blockquote> <br> </body> </html>
--------------6CCE37E19DCAC5B8EF15AF2F--