Re: Password management and options in OpenLDAP / pam_ldap

[Tony Earnshaw <tonye@billy.demon.nl>]

man, 08.12.2003 kl. 14.58 skrev Eric.Sammons@frit.frb.org:

> I have implemented OpenLDAP as an authorization networked service for
> my Linux environment.

What do you mean by "Openldap"? What do you mean by "Linux"?There are
different versions, some subversions are buggy, some are not ;)
Everything I write that follows applies to Openldap 2.1.25 and RedHat
Linux ES3, so ymmv. Some RH standard versions do not implement what
follows.

>   I am now looking for how to or if it is possible to take advantage
> of some of the standard security features of /etc/passwd and
> /etc/shadow.  These features would include:
> 
> * Password expiration
> * Force Password change on next login
> * Warning of password expiration
> * (and in the case of Linux) password strength tests.

These will be automatically respected by the Linux login, passwd, su
etc. utilities, when present in your LDAP profile and using the
posixAccount and shadowAccount objectclasses, if you have told
/etc/ldap.conf and /etc/nsswitch.conf to use them. An example of an
inflexible though "intuitive" client you can use to set the attributes
you want, is directory_administrator 1.53; an example of a flexible
though not "intuitive" client is GQ 1.0b1.

> Can any or all of these be used when LDAP is the authentication
> utility?  If so how?

Yes, with the provisi mentioned above. The later your Linux version, the
greater the possibility that things work. Openldap (ancient version,
needs upgrading) is fully integrated as system authentication in RH 9
and later. My RH ES3 ruins /etc/ldap.conf when using the authconfig
utility, so use of vi plus a good knowledge of how pam_ldap works is a
pre. 

--Tonni

-- 
mail: billy - at - billy.demon.nl
http://billy.demon.nl