Hi, On 3/27/07, Emmanuel Lecharny <[EMAIL PROTECTED]> wrote:
Hi Dave ! On 3/27/07, Dave Bartlett <[EMAIL PROTECTED]> wrote: > > I am evaluating LDAP implementations. I had a difficult time > determining if Apache Directory can perform some password policy > functions such as max and min characters in password, expiration days, > warning days before expiration, logon attempts, etc. No, we didn't implemented password policies right now. But this is something we might do sooner or later. In Apache > Directory would this be done through 'custom authenticators'? Sure. This is not really the simpliest way to do it, but this is the way to go. We may think about other options, like triggers or Store procedures (we have both) to handle such policies. For instance, with Stored Procedures, we can check if the password is correct in regard with the given policy. The good point about SP is that it's basically a java class you simply store into the server, as any other Ldap element, so you don't have to rebuild the server. Alex and Ersin, correct me if I'm wrong !
This sounds like a valid way to implement it sure. Another option is to centralize auth policy for the server using some of the code already in the change password service by bringing it into the core. This way all services can benefit from this policy management module. It can be used to validate password changes. Triggers may do the work of initiating validation against a given policy using the central policy manager. We have a lot of things going on in this space. The work Ersin was doing with that draft specification, triggers, Enrique's work and the idea of centralizing a policy manager. We just need someone to take the lead on this stuff. Perhaps Dave can help us with that? Alex
