Re: Schema for password aging, reuse prevention?

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

Note that is schema is for representing the policy to be enforced
by a directory server, it not intended to represent policies that
may need to be enforced by directory applications (or other beasts).

Also, I note that this document is very much "a work in progress".

Kurt

At 09:48 AM 3/30/2004, Pierangelo Masarati wrote:
>Have a look at password policy implementation in HEAD/2.2 code; see for
>instance slapo-ppolicy(5) man page, and the
>draft-behera-ldap-password-policy-07.txt it is based on.
>
>p.
>
>
>> We're doing an application which uses OpenLDAP for account management. I
>> have a GUI that enforces NASA policy on password complexity but have no
>> way to store last-change-date or previously-used-password info
>> which is required by our policy to:
>>
>>  1) Enforce password aging
>>  2) Not allow users to use re-use their last 10 passwords.
>>  3) Lock a users account after 3 failed logins.
>>
>> Are any of you folks aware of an existing published schema which will
>> allow me to store dates, previous passwords (SHA hash OK), needed to
>> implement password aging and reuse prevention?
>>
>> I'd really like to avoid having to create a private schema, tho I
>> believe NASA has been delegated an OID so it would be possible.  But
>> this is such a common type of thing it's built into a bunch of account
>> management software, and I'd be surprised if someone hasn't
>> implemented a schema to support this.  Any pointers?
>>
>> Many thanks for your help.
>
>
>-- 
>Pierangelo Masarati
>mailto:pierangelo.masarati@sys-net.it