[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password Expiry/Controls?

This needs to be handled by the OS.

Try using PAM and the cracklib PAM module on the OS in conjunction with LDAP for minimum password strengh.

Also the /etc/shadow info is defined in 2307, I believe. So all the password and account expire options can be defined and stored in LDAP. It's up to the OSes PAM LDAP module to store/update those, I guess. See the posixAccount schema and the PAM LDAP module docs for more info on this.

PS. if you give users write access to their passwords, and other attributes instead of using a proxy user for PAM, then the user can always write a ldapmodify to modify any of that data. IE. set any password or cause their account never to expire. On the other hand, using a ldap "proxy user" means that there's a single user who's credentials are on every machine and who can modify any account.


Emilio Recio wrote:
Does openldap internally do password controls? Is there a way to have the ACL or ACI manage password controls? Password controls means: expiring password after certain number of days, requiring minimum of x characters/letters/numbers, etc. etc.