[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP+Password-Policies

-----Original Message-----
From: Tay, Gary [mailto:Gary_Tay@platts.com] 
>No sure if pam_passwdqc is what u r looking for, it does not seem to
have pw aging, but >cover length and others.
 
>I haven't used it, and not sure if it will work with the shadowAccount
attributes.
 
I have and it doesn't, it merely enforces strong passwords during a
password change.

The ppolicy overlay from HEAD may do what the OP wants (You ditch the
shadow stuff and apply password policies instead).  Apparently the padl
pam_ldap module supports this, although I'm using Sun's pam_ldap as I
can't get the PADL one to work. The Sun one works fine except doesn't
warn about impending expiries or grace logins and doesn't enforce the
pwdReset attribute.  I got round this by putting something into the
login script (it probably not bullet proof, but its good enough in my
environment).

If the OP is interested feel free to drop me a note off-list and I'll
share my docs about how I compiled it in (YMMV).



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.