[Date Prev][Date Next]
Re: Schema for password aging, reuse prevention?
Have a look at password policy implementation in HEAD/2.2 code; see for
instance slapo-ppolicy(5) man page, and the
draft-behera-ldap-password-policy-07.txt it is based on.
> We're doing an application which uses OpenLDAP for account management. I
> have a GUI that enforces NASA policy on password complexity but have no
> way to store last-change-date or previously-used-password info
> which is required by our policy to:
> 1) Enforce password aging
> 2) Not allow users to use re-use their last 10 passwords.
> 3) Lock a users account after 3 failed logins.
> Are any of you folks aware of an existing published schema which will
> allow me to store dates, previous passwords (SHA hash OK), needed to
> implement password aging and reuse prevention?
> I'd really like to avoid having to create a private schema, tho I
> believe NASA has been delegated an OID so it would be possible. But
> this is such a common type of thing it's built into a bunch of account
> management software, and I'd be surprised if someone hasn't
> implemented a schema to support this. Any pointers?
> Many thanks for your help.