[Date Prev][Date Next]
Re: (ITS#6084) ppolicy should allow scheduled password expiration
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#6084) ppolicy should allow scheduled password expiration
- From: firstname.lastname@example.org
- Date: Tue, 30 Jun 2009 10:26:24 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Guillaume Rousse wrote:
> Howard Chu a écrit :
>> Since the ppolicy module's behavior is dictated by the Behera draft, any
>> suggestions for changes in this area should probably first be raised on
>> the ietf-ldapext mailing list.
> Right, but openldap implementation already have extension, such
> pwdCheckModule. Additional extension could be implemented, before
> getting standardized.
> Also, the ietf-ldapext seems to be an highly-technical list, and I don't
> feel confortable enough to post this kind of request directly there.
> Discussing various limitations of ppolicy among openldap users first
> would probably allow openldap core team to suggest a more polished
> extension request themselves.
The draft doesn't say anything about setting pwdAccountLockedTime to a value
in the future; since it doesn't preclude it I've fixed up the code to handle
this case. However, it's not a good solution for your purpose, since the
pwdAccountLockedTime value is automatically replaced with the current time if
too many Bind failures occur, and it's automatically deleted when a password
is changed. We'll leave this in HEAD on an experimental basis for now, until a
real solution is spec'd out.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/