[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy implementation questions



Lee Sheridan wrote:
I'm a little confused about a couple of things with ppolicy, I would
appreciate somone helping me to sort it out.

Here's my problem.  I have a pwdMinAge set to some number X.  The reason
is that the password policy I'm implementing says that passwords must
not be reused until some N days and Y number of changes have elapsed.

Thus, pwdMinAge is approximately N / Y, which means that even if a user
changes their password every X days, they won't go through all Y
passwords until all N days have passed.  Clearly not the best option.

If you policy is N days AND Y number of changes, then it seems to me that you just need to set pwdMinAge to N and pwdInHistory to Y. Your use of pwdMinAge = N / Y would equate to N OR Y.


So my first question is this:  I see that the pwdHistory attribute
stores time the password was used within it.  Is there some way for
ppolicy to check if a password that is being reused has been reused in <
X days?

Not at present.

Failing in that (which would allow me to get rid of using pwdMinAge)...
When I set a user password with the rootdn or similar, the user can not
reset their password because it is too young.  I can see no way to
modify pwdChangedTime.  How exactly is this handled?

You would need to use something like the Relax Rules (formerly ManageDIT) control.
http://www.ietf.org/internet-drafts/draft-zeilenga-ldap-relax-00.txt
As an administrator you would set this control and delete the pwdChangedTime attribute.


Third, apparently only the rootdn can set a password when the password
is < pwdMinAge.  Users with an ACL that allows write access to
userPassword also go through the ppolicy policies (which makes sense).
Is there a way to exclude them also from ppolicy constraints when
setting another user's password?

Not at present.

You're welcome to submit patches to the ITS implementing the features you're interested in.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/