[Date Prev][Date Next]
Re: sane ppolicy choices
Thank you for the suggestion. This certainly is one way to go. Your approach is simple. That's always good. I just need to think whether disallowing password change for trial users is acceptable.
On Thursday, March 5, 2015, Dieter Klünter <firstname.lastname@example.org
Am Thu, 5 Mar 2015 11:35:23 +0200
schrieb Igor Shmukler <email@example.com>:
> I am trying to implement a trial [period] for new customers, using the
> OpenLDAP password policy overlay.
> I was thinking about setting a combination of pwdMaxAge, pwdMustChange
> and pwdAllowUserChange.
> Basically, the best idea I have had is to set MaxAge to the length of
> trial [in seconds] then in a user changes the password while in trial
> mode, calculate MaxAge as (trial_length - time_passed), then at the
> end setting MustChange to true and AllowUserChange to false [until the
> trial has been converted].
> Is that a sane policy? Should I be doing something totally different?
> Please advise.
I would create and set a password according to RFC-3062, a little Perl
script could do this and mail the password to the trial user. I would
not allow a user to modify her pasword in a trial period.
Policy would be
pwdMaxAge: according to your requirements.
Dieter Klünter | Systemberatung
GPG Key ID: E9ED159B