I
​ have tried using ppolicy, but it is not really doing anything.
I can confirm that my policy is being used by flipping the "pwdSafeModify" attribute.

​When set to true, users cannot change their password and they get a message saying that they need to send both the old and new password together.

Other than that, none of the other fields seem to have any effect.

Do you have a working example of ppolicy?


Thanks,
Dan


On Wed, Apr 10, 2013 at 9:03 AM, Clément OUDOT <clem.oudot@gmail.com> wrote:


2013/4/10 D C <dc12078@gmail.com>
After nearly two weeks of going nuts trying to setup a password policy, I finally found part of the documentation that I was missing.  Apparently "ppolicy" does not actualy enforce the policy you create.  If I'm understanding the documentation correctly, it really only provides more of a transport to something else which can do it.

No, ppolicy overlay manages a lot of things, like password history, password min size, password expiration, etc.
 

In particular the attribute pwdCheckModule, needs to point to a module which can enforce the policy.  However no module seems to be provided.

What modules are other people using?  I stumbled around and found password_check.so, which I am trying to setup now with partial success.



This module adds some additional checks to the standard ppolicy overlay, like lower and upper cases characters.
 
Anyone else have something better?  One thing I need to do which I don't think this will help with, is storing the last x passwords.


Just use the standard ppolicy overlay and set pwdInHistory attribute value.


Clément.
Thanks,
Dan