[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6084) ppolicy should allow scheduled password expiration

Guillaume Rousse wrote:
> Howard Chu a écrit :
>> Since the ppolicy module's behavior is dictated by the Behera draft, any
>> suggestions for changes in this area should probably first be raised on
>> the ietf-ldapext mailing list.
> Right, but openldap implementation already have extension, such
> pwdCheckModule. Additional extension could be implemented, before
> getting standardized.
> Also, the ietf-ldapext seems to be an highly-technical list, and I don't
> feel confortable enough to post this kind of request directly there.
> Discussing various limitations of ppolicy among openldap users first
> would probably allow openldap core team to suggest a more polished
> extension request themselves.

The draft doesn't say anything about setting pwdAccountLockedTime to a value 
in the future; since it doesn't preclude it I've fixed up the code to handle 
this case. However, it's not a good solution for your purpose, since the 
pwdAccountLockedTime value is automatically replaced with the current time if 
too many Bind failures occur, and it's automatically deleted when a password 
is changed. We'll leave this in HEAD on an experimental basis for now, until a 
real solution is spec'd out.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/