I have tried using ppolicy, but it is not really doing anything. I can confirm that my policy is being used by flipping the "pwdSafeModify" attribute.
When set to true, users cannot change their password and they get a message saying that they need to send both the old and new password together.
Other than that, none of the other fields seem to have any effect.
Do you have a working example of ppolicy?
Thanks, Dan
On Wed, Apr 10, 2013 at 9:03 AM, Clément OUDOT clem.oudot@gmail.com wrote:
2013/4/10 D C dc12078@gmail.com
After nearly two weeks of going nuts trying to setup a password policy, I finally found part of the documentation that I was missing. Apparently "ppolicy" does not actualy enforce the policy you create. If I'm understanding the documentation correctly, it really only provides more of a transport to something else which can do it.
No, ppolicy overlay manages a lot of things, like password history, password min size, password expiration, etc.
In particular the attribute pwdCheckModule, needs to point to a module which can enforce the policy. However no module seems to be provided.
What modules are other people using? I stumbled around and found password_check.so, which I am trying to setup now with partial success.
http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password
This module adds some additional checks to the standard ppolicy overlay, like lower and upper cases characters.
Anyone else have something better? One thing I need to do which I don't think this will help with, is storing the last x passwords.
Just use the standard ppolicy overlay and set pwdInHistory attribute value.
Clément.
Thanks, Dan