[Date Prev][Date Next] [Chronological] [Thread] [Top]

Schema for password aging, reuse prevention?

To: openldap-software@OpenLDAP.org
Subject: Schema for password aging, reuse prevention?
From: Chris Shenton <Chris.Shenton@hq.nasa.gov>
Date: Tue, 30 Mar 2004 11:39:59 -0500
User-agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix)

We're doing an application which uses OpenLDAP for account management.
I have a GUI that enforces NASA policy on password complexity but have
no way to store last-change-date or previously-used-password info
which is required by our policy to:

 1) Enforce password aging
 2) Not allow users to use re-use their last 10 passwords.
 3) Lock a users account after 3 failed logins.

Are any of you folks aware of an existing published schema which will
allow me to store dates, previous passwords (SHA hash OK), needed to
implement password aging and reuse prevention?

I'd really like to avoid having to create a private schema, tho I
believe NASA has been delegated an OID so it would be possible.  But
this is such a common type of thing it's built into a bunch of account
management software, and I'd be surprised if someone hasn't
implemented a schema to support this.  Any pointers?

Many thanks for your help.

Follow-Ups:
- Re: Schema for password aging, reuse prevention?
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Schema for password aging, reuse prevention?
  - From: Tony Earnshaw <tonye@billy.demon.nl>

Prev by Date: Re: attribute type is operational?
Next by Date: Re: Cannot Index uniqueMember ( uniqueMemberMatch)
Index(es):
- Chronological
- Thread