On Monday 24 October 2005 22:03, Fran Fabrizio wrote: > Looking at Google, there is a lot of conflicting information about > whether password aging is supported from OpenLDAP. > > I personally thought that this was more a function of pam_ldap than of > openldap itself, but there's lots of chatter out there as to which ldap > servers support it. > > Assuming I have a schema that has password aging fields (we use > shadowAccount as an objectClass for our user entries, for example) how > would I implement password aging, and would it be done within openldap > or with pam_ldap? The attributes from shadowAccount are for client-side use AFAICT (and, via nss_ldap->pam_unix, not via pam_ldap AFAIK). I think the current best solution is the ppolicy overlay (though that now requires 2.3x. ...). And, it seems it can't currently enforce password length checks (and quality checks require a custom overlay I think). But, it does work ... Regards, Buchan -- Buchan Milne ISP Systems Specialist B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgpDLnT1V2Nhq.pgp
Description: PGP signature