[Date Prev][Date Next]
Re: Password Expiry/Controls?
This needs to be handled by the OS.
Try using PAM and the cracklib PAM module on the OS in conjunction with
LDAP for minimum password strengh.
Also the /etc/shadow info is defined in 2307, I believe. So all the
password and account expire options can be defined and stored in LDAP.
It's up to the OSes PAM LDAP module to store/update those, I guess. See
the posixAccount schema and the PAM LDAP module docs for more info on this.
PS. if you give users write access to their passwords, and other
attributes instead of using a proxy user for PAM, then the user can
always write a ldapmodify to modify any of that data. IE. set any
password or cause their account never to expire. On the other hand,
using a ldap "proxy user" means that there's a single user who's
credentials are on every machine and who can modify any account.
Emilio Recio wrote:
Does openldap internally do password controls? Is there a way to have
the ACL or ACI manage password controls? Password controls means:
expiring password after certain number of days, requiring minimum of x
characters/letters/numbers, etc. etc.