Lee Sheridan wrote:
I'm a little confused about a couple of things with ppolicy, I would appreciate somone helping me to sort it out.
Here's my problem. I have a pwdMinAge set to some number X. The reason is that the password policy I'm implementing says that passwords must not be reused until some N days and Y number of changes have elapsed.
Thus, pwdMinAge is approximately N / Y, which means that even if a user changes their password every X days, they won't go through all Y passwords until all N days have passed. Clearly not the best option.
If you policy is N days AND Y number of changes, then it seems to me that you just need to set pwdMinAge to N and pwdInHistory to Y. Your use of pwdMinAge = N / Y would equate to N OR Y.
So my first question is this: I see that the pwdHistory attribute stores time the password was used within it. Is there some way for ppolicy to check if a password that is being reused has been reused in < X days?
Not at present.
Failing in that (which would allow me to get rid of using pwdMinAge)... When I set a user password with the rootdn or similar, the user can not reset their password because it is too young. I can see no way to modify pwdChangedTime. How exactly is this handled?
You would need to use something like the Relax Rules (formerly ManageDIT) control. http://www.ietf.org/internet-drafts/draft-zeilenga-ldap-relax-00.txt As an administrator you would set this control and delete the pwdChangedTime attribute.
Third, apparently only the rootdn can set a password when the password is < pwdMinAge. Users with an ACL that allows write access to userPassword also go through the ppolicy policies (which makes sense). Is there a way to exclude them also from ppolicy constraints when setting another user's password?
Not at present.
You're welcome to submit patches to the ITS implementing the features you're interested in.