[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tips when implementing password policies

To: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Subject: Re: Tips when implementing password policies
From: Tyler Gates <tgates81@gmail.com>
Date: Tue, 23 Mar 2010 21:55:21 -0400
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:references:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:x-mailer :mime-version:subject:date:cc; bh=hw6l4CL2lNB1GLmgwynX7Vs7+nDcr+tNFf9sxoihGo4=; b=bvHnxB4glbxeS6YT6//Oz5shoygiuwI+Rzj8BvCWCe+1uureaj7vhyIKTNKRRpGtcY EeCJkLURnphEmxVTxCnNPV5zKVuA4o9K32UeDsa29cejk/fjIYhVDtkmVc8gUWfpTyFW MDwTG1eocQjp440XKmLCjk8Iqsj2q02f40V/Y=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=references:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:x-mailer:mime-version:subject:date:cc; b=o6NnaMSjVLkqU8Y50kx4mD2NhSJ8U5e7kZIJxupNeMMZE3eAyfdDKLH3pXjpbzckV3 Qfcav6DXJ7AfM9lUohncGlSjCCcgdd9xSdBXocp2xe4R+pf0fD/Za/kUKHSwxefq/9Yt SPFctWDurjGLdajSZE4kaXXpefKd89xhodrjs=
In-reply-to: <6C447584419BFE4E83D46E88F81314862FAEB372D9@EXCH07-05.apollogrp.edu>
References: <6C447584419BFE4E83D46E88F81314862FAEB372D9@EXCH07-05.apollogrp.edu>

pwdPolicySubentry should work -it's honored in place of the defaultpassword policy which is set in your config. If it doesn't work thanlikely your config lacks the necessary directives to use ppolicy.As far as enforcement pwdMustchange can be set in your policy whichlooks at the entrys pwdReset value. If both are true then ldap willallow a limited set of rights on the dn enough to bind as tls or ssland change his or her password.

On Mar 23, 2010, at 5:19 PM, Chris Jacobs <Chris.Jacobs@apollogrp.edu>wrote:

Hello,
I'm upgrading our LDAP infrastructure (it'll be a cut-over) and I'venoticed that after adding pwdPolicySubentry to a user's account, itdoesn't seem to have any affect.
This user hasn't /ever/ reset their password, and the user's accountdoesn't show any password policy grace period usage after the test.
The pwdPolicySubentry is still the only password policy relatedentry on his account.
This suggests that I'll need to force people to change theirpassword's at some point.
1) Is what I'm seeing normal/expected?
2) What method(s) have you used to force people to change theirpassword - beyond asking them?
Thanks!
- chris
Chris Jacobs, Jr. Linux Administrator, Information Technology &Operations
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
email:  chris.jacobs@apollogrp.edu
This message is private and confidential. If you have received it inerror, please notify the sender and remove it from your system.

References:
- Tips when implementing password policies
  - From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>

Prev by Date: Re: Problem with getent passwd
Next by Date: Re: Tips when implementing password policies
Index(es):
- Chronological
- Thread