have tried using ppolicy, but it is not really doing anything.

I can confirm that my policy is being used by flipping the "pwdSafeModify" attribute.

When set to true, users cannot change their password and they get a message saying that they need to send both the old and new password together.

Other than that, none of the other fields seem to have any effect.

Do you have a working example of ppolicy?

Thanks,

Dan

On Wed, Apr 10, 2013 at 9:03 AM, Clément OUDOT <clem.oudot@gmail.com> wrote:

2013/4/10 D C <dc12078@gmail.com>

After nearly two weeks of going nuts trying to setup a password policy, I finally found part of the documentation that I was missing. Apparently "ppolicy" does not actualy enforce the policy you create. If I'm understanding the documentation correctly, it really only provides more of a transport to something else which can do it.

No, ppolicy overlay manages a lot of things, like password history, password min size, password expiration, etc.

In particular the attribute pwdCheckModule, needs to point to a module which can enforce the policy. However no module seems to be provided.

What modules are other people using? I stumbled around and found password_check.so, which I am trying to setup now with partial success.

http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password

This module adds some additional checks to the standard ppolicy overlay, like lower and upper cases characters.

Anyone else have something better? One thing I need to do which I don't think this will help with, is storing the last x passwords.

Just use the standard ppolicy overlay and set pwdInHistory attribute value.

Clément.

Thanks,
Dan