Mike Partyka wrote:
Placing this type of policy enforcement in the PAM stack is a bit wrong (in my opinion) since it has to be reproduced on every PAM client machine. The password policy module in OpenLDAP's CVS HEAD enforces policy centrally (on the server) and I believe this is the right place for this enforcement to occur. Also the ppolicy module allows you to dynamically load an external function for password quality checking, so you can hook in your cracklib check if you so desire. See the slapo-ppolicy(5) manpage for full details. The latest version is CVS HEAD has been modified for the new (OpenLDAP 2.3) slapd API, but revision 1.28 should still work with OpenLDAP 2.2.Hello,
Our mail server authenticates against an LDAP directory. Is there a way to enforce stronger passwords, like what can be done referencing the pam_cracklib.so module to prevent the use of weak or bad passwords?
The mail web front end uses the pam_ldap.so modules to authenticate using the ldap directory, is there another module i can stack before the pam_ldap.so?
-- -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support