[Kdc-info] policy-as-code
Leif Johansson
leifj at it.su.se
Wed May 14 15:33:45 EDT 2003
Bob Joslin wrote:
>Hi Lief,
>
>I think there might be some value in considering a policy info. model that
>contains the intersection of both LDAP and Kerberos account/password policy
>requirements. Other more complex or kerberos specifc policies could be up
>to the implementation. Any thoughts?
>
>Bob Joslin
>
>
>
I think you may be right for the reason that there is already an ldap
password policy
which might (or might not) semantically coincide (more or less) with
typical kerberos
password policy....
.. On the other hand; future implementations of kdc's may very well
include much more
complex (stored-as-code) policy object that are as common as password
policy is today.
In that case I doubt if anyone will store password policy in the
directory and every other
kind of policy as perl-code (or whatever).
So which of these alternatives do we persue:
0. No policy at all in the core information model -- just make room for
extensions.
1. Just do password policy and leave it at that.
2. Try to specify a more general policy framework.
I am somewhere between 0 and 1. I was almost at 2 after our last meeting
but Loves
comments made me think twice about the feasability of this. Policy in
ldap can get
really ugly. Look at the cpim policy framework schema for an example...
I'd like to
wind up with a relatively simple schema as the result of this, something
multiple
vendors might actually implement...
/leifj
More information about the kdc-info
mailing list