Hello,
I need to implement directory users' credentials lifetime functionality on my OpenLDAP server (2.3.27). For each user lifetime can be set as "forever" or "number of days between 1 and 365". After lifetime expires user must be terminated (user entry still present in directory, but not able to authenticate).
I have inspected slapo-ppolicy(5) overlay functionality, seems that:
"pwdMaxAge=<lifetime>" + "pwdGraceAuthnLimit=0"
would help, but then I need to setup separate policy for each user with different lifetime (not acceptable).
I would like to ask if slapd(8) offers features (in addition to slapo-ppolicy) to control the lifetime of directory users' credentials? Is there a convenient way to implement such requirement?
Any suggestions are very appreciated!
Thanks in advance,
Alina.
On Tuesday 02 January 2007 13:34, Alina Dubrovska wrote:
Hello,
I need to implement directory users' credentials lifetime functionality on my OpenLDAP server (2.3.27). For each user lifetime can be set as "forever" or "number of days between 1 and 365". After lifetime expires user must be terminated (user entry still present in directory, but not able to authenticate).
I have inspected slapo-ppolicy(5) overlay functionality, seems that:
"pwdMaxAge=<lifetime>" + "pwdGraceAuthnLimit=0"
would help, but then I need to setup separate policy for each user with different lifetime (not acceptable).
To be completely accurate, you would create a policy, and apply that policy to individual entries by setting the pwdPolicySubentry attribute of that entry to the DN of the policy.
I would like to ask if slapd(8) offers features (in addition to slapo-ppolicy) to control the lifetime of directory users' credentials? Is there a convenient way to implement such requirement?
Note the ppolicy_default option, documented in the man page, which allows you to have a default password policy for the entire database (which you would override if necessary as above).
Regards, Buchan
Buchan Milne wrote:
On Tuesday 02 January 2007 13:34, Alina Dubrovska wrote:
I have inspected slapo-ppolicy(5) overlay functionality, seems that:
"pwdMaxAge=<lifetime>" + "pwdGraceAuthnLimit=0"
would help, but then I need to setup separate policy for each user with different lifetime (not acceptable).
To be completely accurate, you would create a policy, and apply that policy to individual entries by setting the pwdPolicySubentry attribute of that entry to the DN of the policy.
This is completely true and correct today, but that's not how it is meant to work in the future. Just a little FYI... Subentries are actually intended to follow the X.500 administration model, using subtree search specifications to define the range of the tree over which they apply. I.e., in X.500 you would create a pwdPolicy subentry at some administration point in the DIT, defining the policy and the range of entries that are to be subject to the policy. And then the directory is supposed to dynamically populate the pwdPolicySubentry operational attribute of all the affected entries, indicating which subentry controls them. For now OpenLDAP lacks true subentry support. When the support is added in the future, these pwdPolicySubentry operational attributes will be read-only, dynamically generated based on the specifications in the actual pwdPolicy subentries.
Given the lack of real subentry support it was easier to do things this way, but in hindsight we should have made the ppolicy overlay dynamically generate the operational attributes itself. The current implementation gives a wrong indication of how subentries should normally work...
I would like to ask if slapd(8) offers features (in addition to slapo-ppolicy) to control the lifetime of directory users' credentials? Is there a convenient way to implement such requirement?
Note the ppolicy_default option, documented in the man page, which allows you to have a default password policy for the entire database (which you would override if necessary as above).
Regards, Buchan
Buchan, Howard,
Thank you very much for your responses! Yes, that is completely how I imagined ppolicy functionality. The thing confusing me is that having a large number of users with different lifetimes I will need to store and manage a large number of pwdPolicy subentries. However, that is undesirable, but not critical.
Now please imagine the following extension of requirement: This time I need to control global lifetime of user entry, not users' credentials lifetime. The difference is that user should be able to change password and that should not impact or extend lifetime. The only possibility to change global lifetime should be some kind of manual reset procedure (performed by LDAP administrator). Described approach: "pwdMaxAge=<lifetime>" + "pwdGraceAuthnLimit=0" will not be valid anymore, because if user will change own password, then lifetime will be extended to the value of "pwdMaxAge" once again (as far as I understand).
Probably, solution could be to control user password change actions and modify also assigned ppolicy each time when user decides to change password (subtact seconds from last pwd change from "pwdMaxAge"). Similar for the use case, when administrator decides to reset lifetime for user entry - check "pwdChangedTime", calculate difference and set "pwdMaxAge" correspondingly. Something like this: "pwdMaxAge" = "newLifetime_InSec" + difference_in_sec("currentTime","pwdChangeTime")
However, I'm not sure that it is correct approach... What do you think, will described solution work? Maybe there are another slapd(8) features to control global user entry lifetime? I have heard about "shadowAccount" objectclass, is it supported by OpenLDAP and could it be helpful?
Thank you, Alina.
On 1/3/07, Howard Chu hyc@symas.com wrote:
Buchan Milne wrote:
On Tuesday 02 January 2007 13:34, Alina Dubrovska wrote:
I have inspected slapo-ppolicy(5) overlay functionality, seems that:
"pwdMaxAge=<lifetime>" + "pwdGraceAuthnLimit=0"
would help, but then I need to setup separate policy for each user with different lifetime (not acceptable).
To be completely accurate, you would create a policy, and apply that
policy to
individual entries by setting the pwdPolicySubentry attribute of that
entry
to the DN of the policy.
This is completely true and correct today, but that's not how it is meant to work in the future. Just a little FYI... Subentries are actually intended to follow the X.500 administration model, using subtree search specifications to define the range of the tree over which they apply. I.e., in X.500 you would create a pwdPolicy subentry at some administration point in the DIT, defining the policy and the range of entries that are to be subject to the policy. And then the directory is supposed to dynamically populate the pwdPolicySubentry operational attribute of all the affected entries, indicating which subentry controls them. For now OpenLDAP lacks true subentry support. When the support is added in the future, these pwdPolicySubentry operational attributes will be read-only, dynamically generated based on the specifications in the actual pwdPolicy subentries.
Given the lack of real subentry support it was easier to do things this way, but in hindsight we should have made the ppolicy overlay dynamically generate the operational attributes itself. The current implementation gives a wrong indication of how subentries should normally work...
I would like to ask if slapd(8) offers features (in addition to slapo-ppolicy) to control the lifetime of directory users' credentials?
Is
there a convenient way to implement such requirement?
Note the ppolicy_default option, documented in the man page, which
allows you
to have a default password policy for the entire database (which you
would
override if necessary as above).
Regards, Buchan
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
openldap-software@openldap.org
-
Alina Dubrovska -
Buchan Milne -
Howard Chu