[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Implementing password aging

Fran Fabrizio wrote:

Looking at Google, there is a lot of conflicting information about whether password aging is supported from OpenLDAP.

I personally thought that this was more a function of pam_ldap than of openldap itself, but there's lots of chatter out there as to which ldap servers support it.

Assuming I have a schema that has password aging fields (we use shadowAccount as an objectClass for our user entries, for example) how would I implement password aging, and would it be done within openldap or with pam_ldap?

Since you mention pam_ldap, it sounds like you're asking in the context of an LDAP application. In which case it depends entirely on your LDAP application; the LDAP server has nothing to do with this function. Any server that allows you to store and retrieve shadowAccount attributes will allow pam_ldap to do its thing, and this line of discussion properly belongs on the pam-ldap mailing list.

There is a separate function implemented in OpenLDAP for password policies (including aging). But this function is specific to an LDAP server, and does not use shadowAccount attributes, and has nothing to do with application-level logic.

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/