Nikolaos Milas <nmilas@noa.gr> wrote:
On 1/4/2011 11:09 πμ, Sven Hartge wrote:
Have a look at the ppolicy slapd.overlay. This will solve your problem.
I just wanted to mention that there are significant integration issues of openldap ppolicy overlay in other software.
Right. You need to be careful integrating this overlay.
In many cases, a separate or a supplemental (to ppolicy) password management process should be established, like: http://tools.ltb-project.org/news/14 (which I haven't used myself). This could be expanded and/or tied to a cron-job that would send warnings to users etc. based on ldapsearch results.
At my university we introduced our own attribute gifb-status which contains a "1" if an account is valid, a "0" if it is not (and several others for different purposes) and our ldap-filters all contain something like "(&(ou=foobar)(gifb-status=1))".
The status is changed by a nightly cron-job, which checks if the account is still valid or if it has to be deactived.
This extra attribute of course only works if you are able to change the filter a programm uses. If not, you have to implement different procedures, like moving the password hash out of userPassword to cause the login to fail.
Grüße, Sven.
-- Sig lost. Core dumped.