On Tuesday 02 January 2007 13:34, Alina Dubrovska wrote: > Hello, > > > > I need to implement directory users' credentials lifetime functionality on > my OpenLDAP server (2.3.27). For each user lifetime can be set as "forever" > or "number of days between 1 and 365". After lifetime expires user must be > terminated (user entry still present in directory, but not able to > authenticate). > > > > I have inspected slapo-ppolicy(5) overlay functionality, seems that: > > "pwdMaxAge=<lifetime>" + "pwdGraceAuthnLimit=0" > > would help, but then I need to setup separate policy for each user with > different lifetime (not acceptable). To be completely accurate, you would create a policy, and apply that policy to individual entries by setting the pwdPolicySubentry attribute of that entry to the DN of the policy. > I would like to ask if slapd(8) offers features (in addition to > slapo-ppolicy) to control the lifetime of directory users' credentials? Is > there a convenient way to implement such requirement? Note the ppolicy_default option, documented in the man page, which allows you to have a default password policy for the entire database (which you would override if necessary as above). Regards, Buchan -- Buchan Milne ISP Systems Specialist - Monitoring/Authentication Team Leader B.Eng,RHCE(803004789010797),LPIC-2(LPI000074592)
Attachment:
pgpIULWCWjobV.pgp
Description: PGP signature