[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP user credentials lifetime issue

On Tuesday 02 January 2007 13:34, Alina Dubrovska wrote:
> Hello,
> I need to implement directory users' credentials lifetime functionality on
> my OpenLDAP server (2.3.27). For each user lifetime can be set as "forever"
> or "number of days between 1 and 365". After lifetime expires user must be
> terminated (user entry still present in directory, but not able to
> authenticate).
> I have inspected slapo-ppolicy(5) overlay functionality, seems that:
> "pwdMaxAge=<lifetime>" + "pwdGraceAuthnLimit=0"
> would help, but then I need to setup separate policy for each user with
> different lifetime (not acceptable).

To be completely accurate, you would create a policy, and apply that policy to 
individual entries by setting the pwdPolicySubentry attribute of that entry 
to the DN of the policy.

> I would like to ask if slapd(8) offers features (in addition to
> slapo-ppolicy) to control the lifetime of directory users' credentials? Is
> there a convenient way to implement such requirement?

Note the ppolicy_default option, documented in the man page, which allows you 
to have a default password policy for the entire database (which you would 
override if necessary as above).


Buchan Milne
ISP Systems Specialist - Monitoring/Authentication Team Leader

Attachment: pgpIULWCWjobV.pgp
Description: PGP signature