[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password Expiry/Controls?

To: Emilio Recio <erecio@storm.jmc.tju.edu>
Subject: Re: Password Expiry/Controls?
From: "Kervin L. Pierre" <kervin@blueprint-tech.com>
Date: Mon, 09 Sep 2002 21:12:31 -0400
Cc: openldap-software@OpenLDAP.org
References: <3D7D2831.90208@storm.jmc.tju.edu>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1b) Gecko/20020830


This needs to be handled by the OS.

Try using PAM and the cracklib PAM module on the OS in conjunction with LDAP for minimum password strengh.

Also the /etc/shadow info is defined in 2307, I believe. So all the password and account expire options can be defined and stored in LDAP. It's up to the OSes PAM LDAP module to store/update those, I guess. See the posixAccount schema and the PAM LDAP module docs for more info on this.

PS. if you give users write access to their passwords, and other attributes instead of using a proxy user for PAM, then the user can always write a ldapmodify to modify any of that data. IE. set any password or cause their account never to expire. On the other hand, using a ldap "proxy user" means that there's a single user who's credentials are on every machine and who can modify any account.


--Kervin

Emilio Recio wrote:

Does openldap internally do password controls? Is there a way to have the ACL or ACI manage password controls? Password controls means: expiring password after certain number of days, requiring minimum of x characters/letters/numbers, etc. etc.
-Elmo

Follow-Ups:
- Re: Password Expiry/Controls?
  - From: E M Recio <erecio@storm.jmc.tju.edu>

References:
- Password Expiry/Controls?
  - From: Emilio Recio <erecio@storm.jmc.tju.edu>

Prev by Date: Re: Fw: OpenLDAP Search bug?
Next by Date: LDAP Data Integrity Problems
Index(es):
- Chronological
- Thread