?
Solved

LDAP pwd Exchange Time

Posted on 2010-01-12
3
Medium Priority
?
1,270 Views
Last Modified: 2013-12-24
I have a LDAP question.

Right now I am deriving the pwd Expiration Date from pwdChangedTime + pwdMaxAge.
I am looking into using another approach... maybe using pwdExpirationWarned?

Looking at these two...

pwdExpireWarning: pwdExpireWarning attribute specifies the maximum number of seconds before a password is about to expire that expiration warning messages will be returned to an authenticating user.
pwdExpirationWarned: Contains the time at which the password expiration warning was first sent to the client

can I assume that pwd Expiration Date is pwdExpirationWarned + pwdExpireWarning ?

Thanks!
0
Comment
Question by:IONEL_POPA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 6

Accepted Solution

by:
jwilleke earned 1000 total points
ID: 26330766
Which LDAP vendor server are you using?
The implementation of these attributes is vendor dependent.

These attributes are part of a RFC draft that is not formalized.
(http://tools.ietf.org/html/draft-behera-ldap-password-policy-10)
In the latest draft, the pwdExpirationWarned was dropped as there were some questions as how to maintain the value.

But, generally, yes, the assumption is
4.3.4 pwdExpirationWarned

  This attribute contains the time when the password expiration
  warning was first sent to the client. The password will expire in
  the pwdExpireWarning time.

5.2.8. pwdExpireWarning
   This attribute specifies the maximum number of seconds before a
   password is due to expire that expiration warning messages will be
   returned to an authenticating user.

   If this attribute is not present, or if the value is 0 no warnings
   will be returned.  If not 0, the value must be smaller than the value
   of the pwdMaxAge attribute.
...
     D. Calculates whether the time before expiration warning should
        be sent.


        If the pwdExpireWarning attribute is present and contains a
        value, the server MUST perform the following steps.


            If the pwdExpirationWarned attribute is present and has a
            time value, the warning time is the value of the
            pwdExpirationWarned attribute plus the value of the
            pwdExpireWarning attribute minus the current time.


            If the pwdExpirationWarned attribute is not present, the
            server MUST subtract the current time from the time stored
            in pwdChangedTime to arrive at the password's age. If the
            age is greater than the value of the pwdMaxAge attribute
            minus the value of the pwdExpireWarning attribute, the
            server MUST set the current time as the value of the
            pwdExpirationWarned attribute, and the warning time is the
            value of pwdMaxAge minus the password's age.

Reading the above we come to the following assumptions:

1- the password will expire at (pwdExpirationWarned plus pwdExpireWarning) date.
2- the first time there is a bind within the warning period, when the pwdExpirationWarned is not yet initialized, the calculated warning time is equal to (pwdChangedTime plus pwdMaxAge) minus current time.
3- the second time a bind within the warning period, when the pwdExpirationWarned is already initialized, the calculated warning time is equal to (pwdExpirationWarned plus pwdExpireWarning) minus current time, which is a a value surely larger than the one calculated during the first bind.

The last two points have the following implications:

4- if the server calculates the expiration date using the returned warning time you obtain two different values between first and any subsequent bind within the warning period, which is not very consistent.
5- the real expiration date can be extended well beyond the (pwdChangedTime plus pwdMaxAge), depending on when the first bind during the warning period, almost up to (pwdChangedTime plus pwdMaxAge plus pwdExpireWarning) if my fist bind within the warning period falls within the last usable second of (pwdChangedTime plus pwdMaxAge) time.

-jim
0
 

Author Comment

by:IONEL_POPA
ID: 26363992
Hi Jim,

Thanks for your answer.

So, in conclusion is better to use pwdChangeTime +maxAge for defining the expiration date ..I am assuming that LDAP is calculating this in the same way. correct me if I am wrong.

Thanks.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Your data is at risk. Probably more today that at any other time in history. There are simply more people with more access to the Web with bad intentions.
In this article, I’ll look at how you can use a backup to start a secondary instance for MongoDB.
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question