[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: About ppolicy

Subject: Re: About ppolicy
From: Jacques Foucry <jacques.foucry@novasparks.com>
Date: Mon, 06 May 2013 10:47:51 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <alpine.SOC.2.02.1305031053460.17927@toolbox.rutgers.edu>
Organization: Novasparks
References: <5183CA9C.9080301@novasparks.com> <alpine.SOC.2.02.1305031053460.17927@toolbox.rutgers.edu>
User-agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5

Le 03/05/2013 17:04, Aaron Richton a Ãcrit :

Aaron,

Any shadowAccount concepts and slapo-ppolicy are independent. Your local
implementation can consider the usage of one/both/neither in a
coordinated fashion, but slapd won't help you in this manner.

Ok.

Note that slapo-ppolicy operates almost entirely server-side, whereas
any shadow-related attributes (i.e. shadowLastChange you mentioned) are
updated by LDAP clients (typically a LDAP NSS module or similar). If
you're trying to make something consistent across an entire directory,
depending on client-specific behavior is difficult unless you have tight
client control.

If I understood, It will be easier to disable shadow-related attributesand keep slapo-ppolicy manage the password policy on server-side,because I can't have a very hight control on the clients.


Jacques
--
Jacques Foucry
*NOVÎSPARKS *
IT Manager
Tel : +33 (0)1 42 68 12 61
jacques.foucry@novasparks.com

References:
- About ppolicy
  - From: Jacques Foucry <jacques.foucry@novasparks.com>
- Re: About ppolicy
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Re: Modern Password Hashes in Openldap?
Next by Date: Using LDAP how to restrict users to certain applications only
Index(es):
- Chronological
- Thread