[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Tips when implementing password policies



Chris Jacobs wrote:
I've a few accounts that I was testing with - after I set the password
/after/ ppolicy was in place, things work as expected. Password history, #
grace auths, etc.

However, for those accounts existing before the ppolicy was in place, no
enforcement - there's no password change date set, nor any other policy items
added - other than the pwdpolicysubentry.

Please read the slapo-ppolicy(5) manpage. In particular, read the description of the pwdChangedTime attribute.

One note: early on in the old ldap installations use, inetorgperson wasn't
a
class on accounts. Is that necessary for pwdpolicy? Would that make everything
else work for the legacy accounts?

I'll send an example LDIF of a test account and a legacy account later.
- chris

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/