[Date Prev][Date Next]
Re: Tips when implementing password policies
Chris Jacobs wrote:
I've a few accounts that I was testing with - after I set the password
/after/ ppolicy was in place, things work as expected. Password history, #
grace auths, etc.
However, for those accounts existing before the ppolicy was in place, no
enforcement - there's no password change date set, nor any other policy items
added - other than the pwdpolicysubentry.
Please read the slapo-ppolicy(5) manpage. In particular, read the description
of the pwdChangedTime attribute.
One note: early on in the old ldap installations use, inetorgperson wasn't
class on accounts. Is that necessary for pwdpolicy? Would that make everything
else work for the legacy accounts?
I'll send an example LDIF of a test account and a legacy account later.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/