[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tips when implementing password policies

Chris Jacobs wrote:
I've a few accounts that I was testing with - after I set the password
/after/ ppolicy was in place, things work as expected. Password history, #
grace auths, etc.

However, for those accounts existing before the ppolicy was in place, no
enforcement - there's no password change date set, nor any other policy items
added - other than the pwdpolicysubentry.

Please read the slapo-ppolicy(5) manpage. In particular, read the description of the pwdChangedTime attribute.

One note: early on in the old ldap installations use, inetorgperson wasn't
class on accounts. Is that necessary for pwdpolicy? Would that make everything
else work for the legacy accounts?

I'll send an example LDIF of a test account and a legacy account later.
- chris

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/