[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: passwd policy overlay status



Doug White wrote:

Hey folks,

Whats the status of the password policy overlay in OpenLDAP 2.3? The
credit card industry is mandating Windows-style account expiry and lockout
controls and we'd like to use the ppolicy overlay to implement it using
our existing OpenLDAP/pam_ldap-based authentication system.  The manpage
seems relatively complete and the code looks in decent shape, but there's
some missing details that I'm hoping you can help out with.

2.3 is still in beta stage and we'd like to not use that in production;
has someone backported the ppolicy overlay to 2.2?


The overlay was originally written for 2.2. However, the current code in CVS will only work with 2.3. The differences are probably minor, if you really want to get it running again under 2.2. Since that would be a new feature for 2.2, it is not something we will do as part of the Project. But as an alternative, you can use Symas CDS 2, which is based on OpenLDAP 2.2, and has this and many other overlays already bundled.

In the password history, how are the old passwords encoded? Are they just
a copy of the prior userPassword attribute value (i.e., hashed) or do they
end up in cleartext?


They are a copy of the previous userPassword attribute value. If the previous value was cleartext, it will remain as cleartext. If it was hashed, it will remain hashed. Certainly we cannot reverse a hash to turn it back into cleartext.

Does anyone have an example of a working config? :-)


See the test suite. Test022 sets up a ppolicy instance and exercises the functions.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support