Re: Schema for password aging, reuse prevention?

["Pierangelo Masarati" <ando@sys-net.it>]

Have a look at password policy implementation in HEAD/2.2 code; see for
instance slapo-ppolicy(5) man page, and the
draft-behera-ldap-password-policy-07.txt it is based on.

p.


> We're doing an application which uses OpenLDAP for account management. I
> have a GUI that enforces NASA policy on password complexity but have no
> way to store last-change-date or previously-used-password info
> which is required by our policy to:
>
>  1) Enforce password aging
>  2) Not allow users to use re-use their last 10 passwords.
>  3) Lock a users account after 3 failed logins.
>
> Are any of you folks aware of an existing published schema which will
> allow me to store dates, previous passwords (SHA hash OK), needed to
> implement password aging and reuse prevention?
>
> I'd really like to avoid having to create a private schema, tho I
> believe NASA has been delegated an OID so it would be possible.  But
> this is such a common type of thing it's built into a bunch of account
> management software, and I'd be surprised if someone hasn't
> implemented a schema to support this.  Any pointers?
>
> Many thanks for your help.


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it