Hello Folks,
On my openldap server I was using shadowAccount to enforce password change for my users. It works, but it's not really secure. Users can reuse old passwors, etc.
So I had a look to ppolicy and appli this tutorial: http://theslashroot.blogspot.fr/2011/12/openldap-with-ppolicy.html
Some things are not clear for me. Did I have to disable shadowAccount on my schema?
If not is shadowLastChange will be updated?
I hope I need to include ppolicy schema on all my replica.
Thanks in advance for your help, Jacques Foucry
On Fri, 3 May 2013, Jacques Foucry wrote:
So I had a look to ppolicy and appli this tutorial: http://theslashroot.blogspot.fr/2011/12/openldap-with-ppolicy.html
Some things are not clear for me. Did I have to disable shadowAccount on my schema?
If not is shadowLastChange will be updated?
Any shadowAccount concepts and slapo-ppolicy are independent. Your local implementation can consider the usage of one/both/neither in a coordinated fashion, but slapd won't help you in this manner.
Note that slapo-ppolicy operates almost entirely server-side, whereas any shadow-related attributes (i.e. shadowLastChange you mentioned) are updated by LDAP clients (typically a LDAP NSS module or similar). If you're trying to make something consistent across an entire directory, depending on client-specific behavior is difficult unless you have tight client control.
I hope I need to include ppolicy schema on all my replica.
Keeping schema consistent across all your servers is a best practice.
Le 03/05/2013 17:04, Aaron Richton a écrit :
Aaron,
Any shadowAccount concepts and slapo-ppolicy are independent. Your local implementation can consider the usage of one/both/neither in a coordinated fashion, but slapd won't help you in this manner.
Ok.
Note that slapo-ppolicy operates almost entirely server-side, whereas any shadow-related attributes (i.e. shadowLastChange you mentioned) are updated by LDAP clients (typically a LDAP NSS module or similar). If you're trying to make something consistent across an entire directory, depending on client-specific behavior is difficult unless you have tight client control.
If I understood, It will be easier to disable shadow-related attributes and keep slapo-ppolicy manage the password policy on server-side, because I can't have a very hight control on the clients.
Jacques
openldap-technical@openldap.org
-
Aaron Richton -
Jacques Foucry