[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tips when implementing password policies

To: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Subject: Re: Tips when implementing password policies
From: Howard Chu <hyc@symas.com>
Date: Tue, 23 Mar 2010 19:27:53 -0700
Cc: "'tgates81@gmail.com'" <tgates81@gmail.com>, "'openldap-technical@openldap.org'" <openldap-technical@openldap.org>
In-reply-to: <6C447584419BFE4E83D46E88F81314862FAEA762E7@EXCH07-05.apollogrp.edu>
References: <6C447584419BFE4E83D46E88F81314862FAEA762E7@EXCH07-05.apollogrp.edu>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.3a2pre) Gecko/20100212 Firefox 3.6

Chris Jacobs wrote:

I've a few accounts that I was testing with - after I set the password

/after/ ppolicy was in place, things work as expected. Password history, #
grace auths, etc.


However, for those accounts existing before the ppolicy was in place, no

enforcement - there's no password change date set, nor any other policy items
added - other than the pwdpolicysubentry.

Please read the slapo-ppolicy(5) manpage. In particular, read the descriptionof the pwdChangedTime attribute.

One note: early on in the old ldap installations use, inetorgperson wasn't
a

class on accounts. Is that necessary for pwdpolicy? Would that make everything
else work for the legacy accounts?


I'll send an example LDIF of a test account and a legacy account later.
- chris


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Re: Tips when implementing password policies
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>

Prev by Date: Re: Tips when implementing password policies
Next by Date: Re: Tips when implementing password policies
Index(es):
- Chronological
- Thread