[kdc-schema] Kerberos Password Policy vs LDAP Password Policy
Ludovic Poitou
ludovic.poitou at Sun.COM
Wed Jul 30 06:42:49 EDT 2003
Leif Johansson wrote:
> Ludovic Poitou wrote:
>
>> I've done an evaluation of both Kerberos and LDAP password policies,
>> based on a Sun blueprint (http://www.sun.com/blueprints/1001/krb.pdf,
>> page 12 "Establishing the Password Policies").
>>
>> There's nothing in the kerberos password policy that is not supported
>> by the LDAP password policy.
>>
>> The only item that differ is the Kerberos "Maximum Password Classes".
>> The LDAP password policy defines whether the "syntax" is to be
>> checked but doesn't defines what are the minimal requirement on the
>> password itself. These requirements are implementation details.
>>
>
> Good work Ludovic - I guess there should be a separate type of policy
> password quality ...
>
> Cheers Leif
I agree.
However, I don't believe there are a very common way to express password
quality. Each organization has it's own opinion of the minimum quality
and way to express it.
Classes of characters is one way. Some other ways include more explicit
Lower and Upper Case characters, number of characters in each class and
even positioning of these class of characters, checking against specific
dictionaries....
Ludovic.
More information about the kdc-schema
mailing list