[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP user credentials lifetime issue

Buchan Milne wrote:
On Tuesday 02 January 2007 13:34, Alina Dubrovska wrote:
I have inspected slapo-ppolicy(5) overlay functionality, seems that:

"pwdMaxAge=<lifetime>" + "pwdGraceAuthnLimit=0"

would help, but then I need to setup separate policy for each user with
different lifetime (not acceptable).

To be completely accurate, you would create a policy, and apply that policy to individual entries by setting the pwdPolicySubentry attribute of that entry to the DN of the policy.

This is completely true and correct today, but that's not how it is meant to work in the future. Just a little FYI... Subentries are actually intended to follow the X.500 administration model, using subtree search specifications to define the range of the tree over which they apply. I.e., in X.500 you would create a pwdPolicy subentry at some administration point in the DIT, defining the policy and the range of entries that are to be subject to the policy. And then the directory is supposed to dynamically populate the pwdPolicySubentry operational attribute of all the affected entries, indicating which subentry controls them. For now OpenLDAP lacks true subentry support. When the support is added in the future, these pwdPolicySubentry operational attributes will be read-only, dynamically generated based on the specifications in the actual pwdPolicy subentries.

Given the lack of real subentry support it was easier to do things this way, but in hindsight we should have made the ppolicy overlay dynamically generate the operational attributes itself. The current implementation gives a wrong indication of how subentries should normally work...

I would like to ask if slapd(8) offers features (in addition to
slapo-ppolicy) to control the lifetime of directory users' credentials? Is
there a convenient way to implement such requirement?

Note the ppolicy_default option, documented in the man page, which allows you to have a default password policy for the entire database (which you would override if necessary as above).


  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/