[Date Prev][Date Next]
Re: Implementing password aging
Fran Fabrizio wrote:
Since you mention pam_ldap, it sounds like you're asking in the context
of an LDAP application. In which case it depends entirely on your LDAP
application; the LDAP server has nothing to do with this function. Any
server that allows you to store and retrieve shadowAccount attributes
will allow pam_ldap to do its thing, and this line of discussion
properly belongs on the pam-ldap mailing list.
Looking at Google, there is a lot of conflicting information about
whether password aging is supported from OpenLDAP.
I personally thought that this was more a function of pam_ldap than of
openldap itself, but there's lots of chatter out there as to which
ldap servers support it.
Assuming I have a schema that has password aging fields (we use
shadowAccount as an objectClass for our user entries, for example) how
would I implement password aging, and would it be done within openldap
or with pam_ldap?
There is a separate function implemented in OpenLDAP for password
policies (including aging). But this function is specific to an LDAP
server, and does not use shadowAccount attributes, and has nothing to do
with application-level logic.
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/