Brant,<div><br></div><div>That is fine for some cases but we provide non-ldap backends, and a read/write backend. If we continue to provide a keystone specific idp (likely we need to), these features are a must-have in the long run. Just my view (and requests from real customers). It's all well and good to recommend ldap and handle all that logic in the IDP, but many use-cases don't allow for that configuration. I think providing partial or "toy" implementations is suboptimal from a product completeness standpoint / user and deployer <span></span>experience. </div>
<div><br></div><div>--Morgan <br><br>On Wednesday, January 1, 2014, li-zheming wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="font-size:14px;font-family:arial">
<div>hi Thomas:<br> thank you for your suggestion. I agree with you. cracklib is useful to check<br>password. I only give a example to set password, not force use this rule.<br>I think password scheme should be more discussion.<br>
I refer to linux password policy. The Linux password rule is configurable.<br>like this:<br> PASS_MAX_DAYS 99999<br> PASS_MIN_DAYS 0<br> PASS_MIN_LEN 5<br> PASS_WARN_AGE 7<br><span style="font-size:14px">this is general rule. if you want to set a strength password, you can<br>
use pam_cracklib module</span><font size="3"><span style="font-size:14px">. </span><br><span style="font-family:宋体,SimSun"><span style="font-size:14px;font-family:arial,helvetica,sans-serif"> so we can also config password policy. someone who don't need <br>
a strength password, they can set general rule in keystone.conf.<br>someone who need strength password, they can load </span></span></font><font size="3"><span style="font-family:宋体,SimSun"><span style="font-size:14px;font-family:arial,helvetica,sans-serif">cracklib(or others)<br>
and check password, and password rule can be set by administor. <br>this is only my idea, can you give me more suggestion?thanks!<br>--lizheming<br></span><br></span> <br></font></div></div><div> </div><div> 在2013年12月30 23时15分,"Thomas Goirand"<<a href="javascript:_e({}, 'cvml', 'zigo@debian.org');" target="_blank">zigo@debian.org</a>>写道:</div>
<blockquote style="padding-left:1ex;margin:0px 0px 0px 0.8ex;BORDER-LEFT:#ccc 1px solid"><br> On 12/30/2013 02:55 PM, li-zheming wrote:<br>> hi all:<br>> when create user, you can set user password. You can set password<br>
> as a simple word 'a'. the<br>> password is too simple but not limit. if someone want to steal your<br>> password, it is so easily(such as exhaustion).<br>> I consider that it must be limited when set password, like this:<br>
> 1. inlcude uppper and lower letters<br>> 2. include nums<br>> 3. include particular symbol,such as '_','&'<br>> 4. the length>8<br>> administor can set the password rule.<br>
<br>Hi,<br><br>If you want to check for password complexity, do it the correct way. I'm<br>used to *always* use a password generator that uses only lower case, and<br>removes chars that can be confused with one another, so that you don't<br>
have l and 1, or O and 0 in my passwords. Yet, they are high entropy and<br>long. If you just force me to add upper+lower case and add symbols, then<br>you are just annoying me even with my very good passwords.<br><br>> I want to provide a BP about this issue. can you give me some advice<br>
> or ideas??<br><br>Please use a password entropy function. Something like this:<br><a href="https://pypi.python.org/pypi/cracklib" target="_blank">https://pypi.python.org/pypi/cracklib</a><br><br>Thomas<br><br><br>_______________________________________________<br>
OpenStack-dev mailing list<br><a href="javascript:_e({}, 'cvml', 'OpenStack-dev@lists.openstack.org');" target="_blank">OpenStack-dev@lists.openstack.org</a><br><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</blockquote></blockquote></div>