[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy implementation questions

Lee Sheridan wrote:
I'm a little confused about a couple of things with ppolicy, I would
appreciate somone helping me to sort it out.

Here's my problem.  I have a pwdMinAge set to some number X.  The reason
is that the password policy I'm implementing says that passwords must
not be reused until some N days and Y number of changes have elapsed.

Thus, pwdMinAge is approximately N / Y, which means that even if a user
changes their password every X days, they won't go through all Y
passwords until all N days have passed.  Clearly not the best option.

If you policy is N days AND Y number of changes, then it seems to me that you just need to set pwdMinAge to N and pwdInHistory to Y. Your use of pwdMinAge = N / Y would equate to N OR Y.

So my first question is this:  I see that the pwdHistory attribute
stores time the password was used within it.  Is there some way for
ppolicy to check if a password that is being reused has been reused in <
X days?

Not at present.

Failing in that (which would allow me to get rid of using pwdMinAge)...
When I set a user password with the rootdn or similar, the user can not
reset their password because it is too young.  I can see no way to
modify pwdChangedTime.  How exactly is this handled?

You would need to use something like the Relax Rules (formerly ManageDIT) control.
As an administrator you would set this control and delete the pwdChangedTime attribute.

Third, apparently only the rootdn can set a password when the password
is < pwdMinAge.  Users with an ACL that allows write access to
userPassword also go through the ppolicy policies (which makes sense).
Is there a way to exclude them also from ppolicy constraints when
setting another user's password?

Not at present.

You're welcome to submit patches to the ITS implementing the features you're interested in.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/