Re: OpenLDAP strong password enforcement

[Samuel Tran <stran@amnh.org>]

On Wed, 2005-12-14 at 08:33 -0600, Henderson, Ron wrote:
> Good morning all, 
> 
> I am new to the list, and I am new to openldap. I am trying to use openldap as an user management tool to provide authentication to a distributed application. There are some here that really are pushing to use MS Active Directory, something I would like to avoid, however I need to enforce strong passwords. Is there any way to make openldap support the following password rules?
> 
>        Password Generations, 
>        Restricted word list, 
>        Password composition rules (Upper, lower, digits, special, etc)  
>        Password change polices
>        Account enabled/disabled
>        Account locked out.
>        Failed login limit
>        Min password length
>        Max password length
>        Min Number char different from last
> 
> Again I am sorry if my questions have been answered 100 times before. I tried to use the FAQ-A-Matic and did not find anything, and I am under a time crunch to get answers. Can any of you help me out?
> 

Hi Ron,

You can use the password policy overlay to enforce password policy in
OpenLDAP. To enable it compile OpenLDAP with the option
'--enable-ppolicy'.

slapo-ppolicy in OpenLDAP offers only some of the password control
mechanisms you are looking for:
	- password change policy
	- account locked out
	- failed login limit
	- min password length

Please look at the slapo-ppolicy manpage for more information:
http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&apropos=0&sektion=0&manpath=OpenLDAP+2.3-Release&format=html

For the other rules you would need to use third party software in
conjunction with OpenLDAP, e.g. P-Synch from M-Tech.

Hope this helps.

Sam