[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Schema for password aging, reuse prevention?

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Kurt D. Zeilenga

> Note that is schema is for representing the policy to be enforced
> by a directory server, it not intended to represent policies that
> may need to be enforced by directory applications (or other beasts).

But if the directory applications trust LDAP for authentication, then this
schema may be sufficient. I.e., if the application just uses LDAP Simple Bind
to satisfy its own authentication requirements, then this mechanism will

> Also, I note that this document is very much "a work in progress".

Yes. But I doubt that any major changes are coming now, it seems to be only
fine details that are left to resolve. The current implementation is already
useful, even though the spec is immature.

> At 09:48 AM 3/30/2004, Pierangelo Masarati wrote:
> >Have a look at password policy implementation in HEAD/2.2
> code; see for
> >instance slapo-ppolicy(5) man page, and the
> >draft-behera-ldap-password-policy-07.txt it is based on.
> >
> >p.
> >
> >
> >> We're doing an application which uses OpenLDAP for account
> management. I
> >> have a GUI that enforces NASA policy on password
> complexity but have no
> >> way to store last-change-date or previously-used-password info
> >> which is required by our policy to:
> >>
> >>  1) Enforce password aging
> >>  2) Not allow users to use re-use their last 10 passwords.
> >>  3) Lock a users account after 3 failed logins.
> >>
> >> Are any of you folks aware of an existing published schema
> which will
> >> allow me to store dates, previous passwords (SHA hash OK),
> needed to
> >> implement password aging and reuse prevention?
> >>
> >> I'd really like to avoid having to create a private schema, tho I
> >> believe NASA has been delegated an OID so it would be
> possible.  But
> >> this is such a common type of thing it's built into a
> bunch of account
> >> management software, and I'd be surprised if someone hasn't
> >> implemented a schema to support this.  Any pointers?
> >>
> >> Many thanks for your help.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support