7:33 a.m.
Hello Folks,
On my openldap server I was using shadowAccount to enforce password
change for my users. It works, but it's not really secure. Users can
reuse old passwors, etc.
So I had a look to ppolicy and appli this tutorial:
http://theslashroot.blogspot.fr/2011/12/openldap-with-ppolicy.html
Some things are not clear for me. Did I have to disable shadowAccount on
my schema?
If not is shadowLastChange will be updated?
I hope I need to include ppolicy schema on all my replica.
Thanks in advance for your help,
Jacques Foucry
--
Jacques Foucry
*NOVΛSPARKS *
IT Manager
Tel : +33 (0)1 42 68 12 61
jacques.foucry(a)novasparks.com
8:04 a.m.
On Fri, 3 May 2013, Jacques Foucry wrote:
So I had a look to ppolicy and appli this tutorial:
http://theslashroot.blogspot.fr/2011/12/openldap-with-ppolicy.html
Some things are not clear for me. Did I have to disable shadowAccount on my
schema?
If not is shadowLastChange will be updated?
Any shadowAccount concepts and slapo-ppolicy are independent. Your local
implementation can consider the usage of one/both/neither in a coordinated
fashion, but slapd won't help you in this manner.
Note that slapo-ppolicy operates almost entirely server-side, whereas any
shadow-related attributes (i.e. shadowLastChange you mentioned) are
updated by LDAP clients (typically a LDAP NSS module or similar). If
you're trying to make something consistent across an entire directory,
depending on client-specific behavior is difficult unless you have tight
client control.
I hope I need to include ppolicy schema on all my replica.
Keeping schema consistent across all your servers is a best practice.
1:47 a.m.
Le 03/05/2013 17:04, Aaron Richton a écrit :
Aaron,
Any shadowAccount concepts and slapo-ppolicy are independent. Your
local
implementation can consider the usage of one/both/neither in a
coordinated fashion, but slapd won't help you in this manner.
Ok.
Note that slapo-ppolicy operates almost entirely server-side,
whereas
any shadow-related attributes (i.e. shadowLastChange you mentioned) are
updated by LDAP clients (typically a LDAP NSS module or similar). If
you're trying to make something consistent across an entire directory,
depending on client-specific behavior is difficult unless you have tight
client control.
If I understood, It will be easier to disable shadow-related attributes
and keep slapo-ppolicy manage the password policy on server-side,
because I can't have a very hight control on the clients.
Jacques
--
Jacques Foucry
*NOVΛSPARKS *
IT Manager
Tel : +33 (0)1 42 68 12 61
jacques.foucry(a)novasparks.com
3687
days inactive
3690
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Aaron Richton -
Jacques Foucry