Hi,
there are two schemes of password management with LDAP servers - the LDAP server supports attributes like 'shadowLastChange', 'shadowExpire' etc to store the relevant information at a central storage, but the evaluation is done on the client - the server supports password policies (see http://tools.ietf.org/html/draft-behera-ldap-password-policy-10 ) and all management and evaluation is done on the server side.
My question is whether we shall support the first one as a 'legacy' option (pam_ldap does), or if we should only implement to the second one?
Btw. I think currently the LDAP component of IPA supports none of the above.
bye, Sumit
On Mon, 2009-10-05 at 11:31 +0200, Sumit Bose wrote:
Hi,
there are two schemes of password management with LDAP servers
- the LDAP server supports attributes like 'shadowLastChange', 'shadowExpire' etc to store the relevant information at a central storage, but the evaluation is done on the client
- the server supports password policies (see http://tools.ietf.org/html/draft-behera-ldap-password-policy-10 ) and all management and evaluation is done on the server side.
My question is whether we shall support the first one as a 'legacy' option (pam_ldap does), or if we should only implement to the second one?
We should certainly support the latter, but I don't like the former schema much.
Btw. I think currently the LDAP component of IPA supports none of the above.
IPA uses the kerberos schema to set expiration time (same kind of checks you may do against the shadow schema), and in v2 Rob has been working to integrate with the 389DS password policy engine. In any case we are planning to support the Behera draft in the future.
Maybe we could have some generic code that can check either the classic shadow schema or the krb attibutes by means of simply configuring the attributes to check and the time format used ?
Simo.
sssd-devel@lists.fedorahosted.org
-
Simo Sorce -
Sumit Bose