[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Implementing password aging

On Monday 24 October 2005 22:03, Fran Fabrizio wrote:
> Looking at Google, there is a lot of conflicting information about
> whether password aging is supported from OpenLDAP.
> I personally thought that this was more a function of pam_ldap than of
> openldap itself, but there's lots of chatter out there as to which ldap
> servers support it.
> Assuming I have a schema that has password aging fields (we use
> shadowAccount as an objectClass for our user entries, for example) how
> would I implement password aging, and would it be done within openldap
> or with pam_ldap?

The attributes from shadowAccount are for client-side use AFAICT (and, via 
nss_ldap->pam_unix, not via pam_ldap AFAIK).

I think the current best solution is the ppolicy overlay (though that now 
requires 2.3x. ...).

And, it seems it can't currently enforce password length checks (and quality 
checks require a custom overlay I think).

But, it does work ...


Buchan Milne
ISP Systems Specialist

Attachment: pgpDLnT1V2Nhq.pgp
Description: PGP signature