[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sane ppolicy choices

To: openldap-technical@openldap.org
Subject: Re: sane ppolicy choices
From: Dieter Klünter <dieter@dkluenter.de>
Date: Thu, 5 Mar 2015 14:58:45 +0100
In-reply-to: <CAA1SNA01sUuFMEW_83mSoxWgUSXZZUM8iAuFifRyefzxSb5Ynw@mail.gmail.com>
Organization: AVCI
References: <CAA1SNA01sUuFMEW_83mSoxWgUSXZZUM8iAuFifRyefzxSb5Ynw@mail.gmail.com>

Am Thu, 5 Mar 2015 11:35:23 +0200
schrieb Igor Shmukler <igor.shmukler@gmail.com>:

> Hello,
> 
> I am trying to implement a trial [period] for new customers, using the
> OpenLDAP password policy overlay.
> 
> I was thinking about setting a combination of pwdMaxAge, pwdMustChange
> and pwdAllowUserChange.
> 
> Basically, the best idea I have had is to set MaxAge to the length of
> trial [in seconds] then in a user changes the password while in trial
> mode, calculate MaxAge as (trial_length - time_passed), then at the
> end setting MustChange to true and AllowUserChange to false [until the
> trial has been converted].
> 
> Is that a sane policy? Should I be doing something totally different?
> Please advise.

I would create and set a password according to RFC-3062, a little Perl
script could do this and mail the password to the trial user. I would
not allow a user to modify her pasword in a trial period.

Policy would be 
pwdAllowuserChange: false
pwdMustChange: false
pwdSafeModify: false
pwdMaxAge: according to your requirements.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: sane ppolicy choices
  - From: Igor Shmukler <igor.shmukler@gmail.com>

References:
- sane ppolicy choices
  - From: Igor Shmukler <igor.shmukler@gmail.com>

Prev by Date: Re: sane ppolicy choices
Next by Date: Re: sane ppolicy choices
Index(es):
- Chronological
- Thread