I have tried using ppolicy, but it is not really doing anything. I can confirm that my policy is being used by flipping the "pwdSafeModify" attribute.
When set to true, users cannot change their password and they get a message saying that they need to send both the old and new password together. Other than that, none of the other fields seem to have any effect. Do you have a working example of ppolicy? Thanks, Dan On Wed, Apr 10, 2013 at 9:03 AM, Clément OUDOT <[email protected]> wrote: > > > 2013/4/10 D C <[email protected]> > >> After nearly two weeks of going nuts trying to setup a password policy, I >> finally found part of the documentation that I was missing. Apparently >> "ppolicy" does not actualy enforce the policy you create. If I'm >> understanding the documentation correctly, it really only provides more of >> a transport to something else which can do it. >> > > No, ppolicy overlay manages a lot of things, like password history, > password min size, password expiration, etc. > > >> >> In particular the attribute pwdCheckModule, needs to point to a module >> which can enforce the policy. However no module seems to be provided. >> >> What modules are other people using? I stumbled around and found >> password_check.so, which I am trying to setup now with partial success. >> >> http://ltb-project.org/wiki/documentation/openldap-ppolicy-check-password >> >> > This module adds some additional checks to the standard ppolicy overlay, > like lower and upper cases characters. > > >> Anyone else have something better? One thing I need to do which I don't >> think this will help with, is storing the last x passwords. >> >> > Just use the standard ppolicy overlay and set pwdInHistory attribute value. > > > Clément. > >> Thanks, >> Dan >> > >
