[Freeipa-devel] per-group password policy proposal

[Simo Sorce]

On Thu, 2009-06-11 at 07:04 +0200, Christoffer Strömblad wrote:
> Could it perhaps be an idea to do some sort of aggregate policy? Say
> that there are a couple of groups, including subgroups and they all have
> different password policies. Perhaps when a new group is added, modified
> or deleted an "aggregate" password policy is created and stored in the
> "top" branch (forgive me, I'm not that familiar with LDAP).
> 
> So the default will become some sort of common denominator using the
> highest requirements to set the policy.
> 
> One group might have 30 day expiration and 7 min length. Another minimum
> 10 length and 60 day expiration.
> 
> The final "aggregate policy" would become:
> Expiration: 30 days
> Min length: 10.
> 
> My reasoning around this type of policy would be that a user, member of
> several groups have more access rights and should hence be treated as
> such. Hence a stronger password should be required from this particular
> user.
> 
> Problems with aggregate policy
> I guess however that maintaining such a thing would require that the
> code would need to change each time a new attribute is added to the
> password policy. Which might need to happen anyways.
> 
> It might be dumb, but I thought I'd share the idea nonetheless.

It's not a dumb idea, but I think it presents more problems than it
solves.

Problem 1: incompatible settings in the aggregate
Problem 2: understanding what pwd policy apply to a specific user

N.2 depends on whether the aggregate policy is generated on the fly or
stored at creation time.

A priority based policy like Rob defined is probably easier to
understand and use.

Simo.


-- 
Simo Sorce * Red Hat, Inc * New York