[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ppolicy DIGEST-MD5 ignore expired password

To: Jiri Netolicky <netolish@gmail.com>
Subject: Re: Ppolicy DIGEST-MD5 ignore expired password
From: Howard Chu <hyc@symas.com>
Date: Wed, 25 Apr 2007 13:56:53 -0700
Cc: openldap-software@openldap.org
In-reply-to: <3e2aaaf50704251111m392fbb45qe9c96f5362357ec6@mail.gmail.com>
References: <3e2aaaf50704250726p2fe39fc6o37c3d3622147b05a@mail.gmail.com> <462F7109.6000304@symas.com> <3e2aaaf50704251111m392fbb45qe9c96f5362357ec6@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.9a4pre) Gecko/20070409 SeaMonkey/1.5a

Jiri Netolicky wrote:

Have a nice day.

I have to implement password policy in our OpenLdap. During testing futures
of ppolicy module I found that they ignore expired password when I authenticate
user by SASL DIGEST-MD5.
When I try on exprired account:

Correct. Password policies as currently defined in LDAP only affect
Simple Binds.


Many thanks for quick answer.

Do you plan in near future implement password policy in other
authentication methods? If not the only way for me is disable SASL
authentication
and force bind authentication secured by SSL or TLS.

It is certainly desirable, but pushing the SASL specification is really outside the scope of LDAP. So yes, we are pushing for this, but have no idea how long it will take. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

References:
- Ppolicy DIGEST-MD5 ignore expired password
  - From: "Jiri Netolicky" <netolish@gmail.com>
- Re: Ppolicy DIGEST-MD5 ignore expired password
  - From: Howard Chu <hyc@symas.com>
- Re: Ppolicy DIGEST-MD5 ignore expired password
  - From: "Jiri Netolicky" <netolish@gmail.com>

Prev by Date: Re: Sort ldap results
Next by Date: Re: slapd becoming mysteriously slow
Index(es):
- Chronological
- Thread