[Kdc-info] Password change operations
Wyllys Ingersoll
wyllys.ingersoll at sun.com
Wed Jul 30 15:33:28 EDT 2003
At the Vienna meeting, there was some discussion about the
best way to handle password/key changes when using the LDAP
administrative model. I was asked to look at the choices
and make a short writeup - so here it is...
Choices - use the passwd-change draft currently being proposed
by Nicolas Williams <draft-ietf-krb-wg-kerberos-set-passwd-00.txt>,
use RFC 3062 (LDAP Password Modify Extended Operation),
or define something new using the information model and schema
that results from the ongoing discussions on this list.
The last option (define something new) is obviously the least
attractive and I just mentioned it as a remote possibility.
RFC 3062 is probably not the best way to handle password
requests in this situation because it is limited to only
password change operations. The set-password draft is more
complete and covers re-keying operations as well as simple
password changes.
So, IMO, the KDC-INFO work should not specify password or key
change operations. passwords and keys should only be updated
only by using the set-password protocol. This will avoid
confusion that might result from having multiple paths for
changing a password and also avoids duplicating the work.
-Wyllys Ingersoll
More information about the kdc-info
mailing list