[Kdc-info] policy-as-code
Bob Joslin
bob_joslin at hp.com
Wed May 14 12:19:46 EDT 2003
Hi Lief,
I think there might be some value in considering a policy info. model that
contains the intersection of both LDAP and Kerberos account/password policy
requirements. Other more complex or kerberos specifc policies could be up
to the implementation. Any thoughts?
Bob Joslin
-----Original Message-----
From: kdc-info-bounces at mit.edu [mailto:kdc-info-bounces at mit.edu] On Behalf
Of Leif Johansson
Sent: Wednesday, May 14, 2003 12:29 AM
To: kdc-info at mit.edu
Subject: [Kdc-info] policy-as-code
I had a discussion with Love Hörnqvist-Åstrand who had an interesting point
concerning policy-requirements in a kdc which makes me dobout the long-term
feasability of modelling policy in the directory. The argument goes
something
like this (Love: Please correct me on the list if I got you wrong, ok?):
Today policy can be described in terms of a fixed set of parameters
(password
expiry days for instance) but this may be inadequate to describe more
complex
but necessary policy. For instance try to express: all */admin must have
more
than 4 iterations in AES or only requests coming from a certain set of
hosts
are allowed to obtain tickets for foo-service/foo.example.com at EXAMPLE.COM.
I would like comments on this -- is it relevant? Do we still model the
policy we
have today and ignore anything else or do we try to encompass these
situations?
/leifj
_______________________________________________
kdc-info mailing list
kdc-info at mit.edu
http://mailman.mit.edu/mailman/listinfo/kdc-info
More information about the kdc-info
mailing list