Michael Ströder writes:
On 2/14/19 8:19 AM, Derek Zhou wrote:
Better use kerberos for advanced password policy requirements. You can use SASL to bridge LDAP's userPassword checking to a kerberos backend so everything still work and much safer.
By which definition of "safe" is adding more complexity safer?
Especially you don't know how the original poster does password changes. Maybe he wants to use ppolicy response controls etc.
Yeah, adding kerberos is a complexity and you cannot change password via ldap anymore; has to go through the kerberos route. My notion of "safe" is only referring to the fact that the password text is not stored anywhere and the rogue admin cannot read user's passwords.
I haven't found a good and up to date howto with step to step instrutctions on ppolicy with cn=config. I'd appreciate if someone here give my a pointer.
Derek