Hi Dieter, Thank you for the suggestion. This certainly is one way to go. Your approach is simple. That's always good. I just need to think whether disallowing password change for trial users is acceptable.
Sincerely, Igor Shmukler On Thursday, March 5, 2015, Dieter Klünter <[email protected]> wrote: > Am Thu, 5 Mar 2015 11:35:23 +0200 > schrieb Igor Shmukler <[email protected] <javascript:;>>: > > > Hello, > > > > I am trying to implement a trial [period] for new customers, using the > > OpenLDAP password policy overlay. > > > > I was thinking about setting a combination of pwdMaxAge, pwdMustChange > > and pwdAllowUserChange. > > > > Basically, the best idea I have had is to set MaxAge to the length of > > trial [in seconds] then in a user changes the password while in trial > > mode, calculate MaxAge as (trial_length - time_passed), then at the > > end setting MustChange to true and AllowUserChange to false [until the > > trial has been converted]. > > > > Is that a sane policy? Should I be doing something totally different? > > Please advise. > > I would create and set a password according to RFC-3062, a little Perl > script could do this and mail the password to the trial user. I would > not allow a user to modify her pasword in a trial period. > > Policy would be > pwdAllowuserChange: false > pwdMustChange: false > pwdSafeModify: false > pwdMaxAge: according to your requirements. > > -Dieter > > -- > Dieter Klünter | Systemberatung > http://sys4.de > GPG Key ID: E9ED159B > 53°37'09,95"N > 10°08'02,42"E > >
