Doug White wrote:
The overlay was originally written for 2.2. However, the current code in CVS will only work with 2.3. The differences are probably minor, if you really want to get it running again under 2.2. Since that would be a new feature for 2.2, it is not something we will do as part of the Project. But as an alternative, you can use Symas CDS 2, which is based on OpenLDAP 2.2, and has this and many other overlays already bundled.Hey folks,
Whats the status of the password policy overlay in OpenLDAP 2.3? The credit card industry is mandating Windows-style account expiry and lockout controls and we'd like to use the ppolicy overlay to implement it using our existing OpenLDAP/pam_ldap-based authentication system. The manpage seems relatively complete and the code looks in decent shape, but there's some missing details that I'm hoping you can help out with.
2.3 is still in beta stage and we'd like to not use that in production;
has someone backported the ppolicy overlay to 2.2?
In the password history, how are the old passwords encoded? Are they justThey are a copy of the previous userPassword attribute value. If the previous value was cleartext, it will remain as cleartext. If it was hashed, it will remain hashed. Certainly we cannot reverse a hash to turn it back into cleartext.
a copy of the prior userPassword attribute value (i.e., hashed) or do they
end up in cleartext?
Does anyone have an example of a working config? :-)See the test suite. Test022 sets up a ppolicy instance and exercises the functions.
-- -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support