Nikolaos Milas <[email protected]> wrote: > On 1/4/2011 11:09 πμ, Sven Hartge wrote:
>> Have a look at the ppolicy slapd.overlay. This will solve your >> problem. > I just wanted to mention that there are significant integration issues > of openldap ppolicy overlay in other software. Right. You need to be careful integrating this overlay. > In many cases, a separate or a supplemental (to ppolicy) password > management process should be established, like: > http://tools.ltb-project.org/news/14 (which I haven't used myself). > This could be expanded and/or tied to a cron-job that would send > warnings to users etc. based on ldapsearch results. At my university we introduced our own attribute gifb-status which contains a "1" if an account is valid, a "0" if it is not (and several others for different purposes) and our ldap-filters all contain something like "(&(ou=foobar)(gifb-status=1))". The status is changed by a nightly cron-job, which checks if the account is still valid or if it has to be deactived. This extra attribute of course only works if you are able to change the filter a programm uses. If not, you have to implement different procedures, like moving the password hash out of userPassword to cause the login to fail. Grüße, Sven. -- Sig lost. Core dumped.
