Re: Schema for password aging, reuse prevention?

[Edward Rudd <eddie@omegaware.com>]

The shadowAccount objectClass does provide most of those fields except
the password history, but the enforcement still needs to be done by the
app accessing the LDAP.

On Tue, 2004-03-30 at 11:48, Pierangelo Masarati wrote:
> Have a look at password policy implementation in HEAD/2.2 code; see for
> instance slapo-ppolicy(5) man page, and the
> draft-behera-ldap-password-policy-07.txt it is based on.
> 
> p.
> 
> 
> > We're doing an application which uses OpenLDAP for account management. I
> > have a GUI that enforces NASA policy on password complexity but have no
> > way to store last-change-date or previously-used-password info
> > which is required by our policy to:
> >
> >  1) Enforce password aging
> >  2) Not allow users to use re-use their last 10 passwords.
> >  3) Lock a users account after 3 failed logins.
> >
> > Are any of you folks aware of an existing published schema which will
> > allow me to store dates, previous passwords (SHA hash OK), needed to
> > implement password aging and reuse prevention?
> >
> > I'd really like to avoid having to create a private schema, tho I
> > believe NASA has been delegated an OID so it would be possible.  But
> > this is such a common type of thing it's built into a bunch of account
> > management software, and I'd be surprised if someone hasn't
> > implemented a schema to support this.  Any pointers?
> >
> > Many thanks for your help.
-- 
Edward Rudd <eddie@omegaware.com>
Website http://outoforder.cc/