Re: ldap/pwd complexity and PAM?

[Howard Chu <hyc@symas.com>]

Doug OLeary wrote:
> Hi;
>
> In my free time, I've been studying openldap and the ppolicy overlay.
> I started working on password complexity today.  While searching for
> information on implementing complexity, I ran across the link immediately
> following which seems to indicate that openldap honors the settings in
> /etc/pam.d/password-auth.
>
> http://ubuntuforums.org/showthread.php?t=2172393

No, that's not what that thread says at all.
> I tried configuring that on a test kvm and can't even get it working
> with local accounts so obviously I borked something in the password-auth
> file - like maybe not even the right pam.d file; however, before I spend
> a whole lot of time troubleshooting this, is my understanding accurate?
> Will openldap honor the settings in pam.d?

No, OpenLDAP doesn't know anything about PAM settings. All that that thread is 
saying is that you must configure PAM correctly if you want PAM to enforce 
password quality *when you change passwords using PAM*.

If you change LDAP passwords via LDAP, PAM is nowhere in the picture.

> It seems that'd be a whole lot cleaner and more supportable than compiling
> a specialized password checking module.
>
> Any info greatly appreciated.  Thanks for your time.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/