Howard Chu wrote:
Generally, we implement features according to the published specs. If
believe this feature is valuable, you should push to have it included in the
next version of the ppolicy draft. I've been pushing for a few additions
recently as well.
More details are also on the X.500 list
I'm all for getting useful enhancements into the published spec. But as this
is a security mechanism we're talking about, it has to be designed with some care.
The scenario you've provided as motivation for the feature you describe sounds
like a bunch of poorly written apps; they should immediately remove passwords
from their caches the first time they fail to authenticate. At the very least,
they should immediately come back to the user with an error message and ask
for confirmation before retrying.
Also, using apps which perform silent implicit authentications of this sort
renders parts of ppolicy useless (e.g., warnings about password expiration
and/or grace logins drop on the floor instead of being presented to the user).
Fix the real problem, not just the symptom. The approach you're pushing for is
just putting a bandaid on a problem, not fixing it. This may be how other
folks handle their software design problems, but it just doesn't fly for
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/