• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1283
  • Last Modified:

LDAP pwd Exchange Time

I have a LDAP question.

Right now I am deriving the pwd Expiration Date from pwdChangedTime + pwdMaxAge.
I am looking into using another approach... maybe using pwdExpirationWarned?

Looking at these two...

pwdExpireWarning: pwdExpireWarning attribute specifies the maximum number of seconds before a password is about to expire that expiration warning messages will be returned to an authenticating user.
pwdExpirationWarned: Contains the time at which the password expiration warning was first sent to the client

can I assume that pwd Expiration Date is pwdExpirationWarned + pwdExpireWarning ?

Thanks!
0
IONEL_POPA
Asked:
IONEL_POPA
1 Solution
 
jwillekeCommented:
Which LDAP vendor server are you using?
The implementation of these attributes is vendor dependent.

These attributes are part of a RFC draft that is not formalized.
(http://tools.ietf.org/html/draft-behera-ldap-password-policy-10)
In the latest draft, the pwdExpirationWarned was dropped as there were some questions as how to maintain the value.

But, generally, yes, the assumption is
4.3.4 pwdExpirationWarned

  This attribute contains the time when the password expiration
  warning was first sent to the client. The password will expire in
  the pwdExpireWarning time.

5.2.8. pwdExpireWarning
   This attribute specifies the maximum number of seconds before a
   password is due to expire that expiration warning messages will be
   returned to an authenticating user.

   If this attribute is not present, or if the value is 0 no warnings
   will be returned.  If not 0, the value must be smaller than the value
   of the pwdMaxAge attribute.
...
     D. Calculates whether the time before expiration warning should
        be sent.


        If the pwdExpireWarning attribute is present and contains a
        value, the server MUST perform the following steps.


            If the pwdExpirationWarned attribute is present and has a
            time value, the warning time is the value of the
            pwdExpirationWarned attribute plus the value of the
            pwdExpireWarning attribute minus the current time.


            If the pwdExpirationWarned attribute is not present, the
            server MUST subtract the current time from the time stored
            in pwdChangedTime to arrive at the password's age. If the
            age is greater than the value of the pwdMaxAge attribute
            minus the value of the pwdExpireWarning attribute, the
            server MUST set the current time as the value of the
            pwdExpirationWarned attribute, and the warning time is the
            value of pwdMaxAge minus the password's age.

Reading the above we come to the following assumptions:

1- the password will expire at (pwdExpirationWarned plus pwdExpireWarning) date.
2- the first time there is a bind within the warning period, when the pwdExpirationWarned is not yet initialized, the calculated warning time is equal to (pwdChangedTime plus pwdMaxAge) minus current time.
3- the second time a bind within the warning period, when the pwdExpirationWarned is already initialized, the calculated warning time is equal to (pwdExpirationWarned plus pwdExpireWarning) minus current time, which is a a value surely larger than the one calculated during the first bind.

The last two points have the following implications:

4- if the server calculates the expiration date using the returned warning time you obtain two different values between first and any subsequent bind within the warning period, which is not very consistent.
5- the real expiration date can be extended well beyond the (pwdChangedTime plus pwdMaxAge), depending on when the first bind during the warning period, almost up to (pwdChangedTime plus pwdMaxAge plus pwdExpireWarning) if my fist bind within the warning period falls within the last usable second of (pwdChangedTime plus pwdMaxAge) time.

-jim
0
 
IONEL_POPAAuthor Commented:
Hi Jim,

Thanks for your answer.

So, in conclusion is better to use pwdChangeTime +maxAge for defining the expiration date ..I am assuming that LDAP is calculating this in the same way. correct me if I am wrong.

Thanks.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now