[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Schema for password aging, reuse prevention?

The shadowAccount objectClass does provide most of those fields except
the password history, but the enforcement still needs to be done by the
app accessing the LDAP.

On Tue, 2004-03-30 at 11:48, Pierangelo Masarati wrote:
> Have a look at password policy implementation in HEAD/2.2 code; see for
> instance slapo-ppolicy(5) man page, and the
> draft-behera-ldap-password-policy-07.txt it is based on.
> p.
> > We're doing an application which uses OpenLDAP for account management. I
> > have a GUI that enforces NASA policy on password complexity but have no
> > way to store last-change-date or previously-used-password info
> > which is required by our policy to:
> >
> >  1) Enforce password aging
> >  2) Not allow users to use re-use their last 10 passwords.
> >  3) Lock a users account after 3 failed logins.
> >
> > Are any of you folks aware of an existing published schema which will
> > allow me to store dates, previous passwords (SHA hash OK), needed to
> > implement password aging and reuse prevention?
> >
> > I'd really like to avoid having to create a private schema, tho I
> > believe NASA has been delegated an OID so it would be possible.  But
> > this is such a common type of thing it's built into a bunch of account
> > management software, and I'd be surprised if someone hasn't
> > implemented a schema to support this.  Any pointers?
> >
> > Many thanks for your help.
Edward Rudd <eddie@omegaware.com>
Website http://outoforder.cc/