I'm a little confused about a couple of things with ppolicy, I would appreciate somone helping me to sort it out.
Here's my problem. I have a pwdMinAge set to some number X. The reason is that the password policy I'm implementing says that passwords must not be reused until some N days and Y number of changes have elapsed.
Thus, pwdMinAge is approximately N / Y, which means that even if a user changes their password every X days, they won't go through all Y passwords until all N days have passed. Clearly not the best option.
So my first question is this: I see that the pwdHistory attribute stores time the password was used within it. Is there some way for ppolicy to check if a password that is being reused has been reused in < X days?
Failing in that (which would allow me to get rid of using pwdMinAge)... When I set a user password with the rootdn or similar, the user can not reset their password because it is too young. I can see no way to modify pwdChangedTime. How exactly is this handled?
Third, apparently only the rootdn can set a password when the password is < pwdMinAge. Users with an ACL that allows write access to userPassword also go through the ppolicy policies (which makes sense). Is there a way to exclude them also from ppolicy constraints when setting another user's password?
TIA,
Lee Sheridan wrote:
I'm a little confused about a couple of things with ppolicy, I would appreciate somone helping me to sort it out.
Here's my problem. I have a pwdMinAge set to some number X. The reason is that the password policy I'm implementing says that passwords must not be reused until some N days and Y number of changes have elapsed.
Thus, pwdMinAge is approximately N / Y, which means that even if a user changes their password every X days, they won't go through all Y passwords until all N days have passed. Clearly not the best option.
If you policy is N days AND Y number of changes, then it seems to me that you just need to set pwdMinAge to N and pwdInHistory to Y. Your use of pwdMinAge = N / Y would equate to N OR Y.
So my first question is this: I see that the pwdHistory attribute stores time the password was used within it. Is there some way for ppolicy to check if a password that is being reused has been reused in < X days?
Not at present.
Failing in that (which would allow me to get rid of using pwdMinAge)... When I set a user password with the rootdn or similar, the user can not reset their password because it is too young. I can see no way to modify pwdChangedTime. How exactly is this handled?
You would need to use something like the Relax Rules (formerly ManageDIT) control. http://www.ietf.org/internet-drafts/draft-zeilenga-ldap-relax-00.txt As an administrator you would set this control and delete the pwdChangedTime attribute.
Third, apparently only the rootdn can set a password when the password is < pwdMinAge. Users with an ACL that allows write access to userPassword also go through the ppolicy policies (which makes sense). Is there a way to exclude them also from ppolicy constraints when setting another user's password?
Not at present.
You're welcome to submit patches to the ITS implementing the features you're interested in.
openldap-software@openldap.org
-
Howard Chu -
Lee Sheridan