[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy, was: Re: {CRYPT} password to {SHA}

To: openldap-technical@openldap.org
Subject: ppolicy, was: Re: {CRYPT} password to {SHA}
From: Jeroen van Aart <kroshka@atypon.com>
Date: Thu, 12 Jun 2008 16:42:10 -0700
In-reply-to: <200806061043.23636.bgmilne@staff.telkomsa.net>
References: <d363b8eb0806040600j31ac9698w6b20d10b32a1110@mail.gmail.com> <48482B23.50808@atypon.com> <hbf.20080605f1u8@bombur.uio.no> <200806061043.23636.bgmilne@staff.telkomsa.net>
User-agent: Icedove 1.5.0.14eol (X11/20080509)

Buchan Milne wrote:

Or, you can have one default policy, and override it (by setting the pwdPolicySubentry to the other policy) on all the entries which should not use the default policy. Which one you make the default, you will have to decide.

I am curious how the mechanism of enforcing the policy through various login "points" works. For example ssh, subversion, email and ftp all authenticate to LDAP, via pam. Some people use ssh, all people use email and some people use subversion. Ftp is mostly used by external clients, who have no way of acting upon a password expiration.

Email seems to be the common thing amongst all users whose password "should" expire and who can change it. How can LDAP tell an email client, through pam that the password is about to expire, or has expired? Or does this happen automagically?

Thanks,
Jeroen

References:
- How to lock user
  - From: "Gustavo Mendes de Carvalho" <gmcarvalho@gmail.com>
- Re: {CRYPT} password to {SHA}
  - From: Jeroen van Aart <kroshka@atypon.com>
- Re: {CRYPT} password to {SHA}
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: {CRYPT} password to {SHA}
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: additional info: homePhone: value #0 normalization failed
Next by Date: Fwd: [BSD7.0] Openldap Server - Client 2.3.41 / Unknow user UID
Index(es):
- Chronological
- Thread