Howard Chu
2006-Oct-27 14:56 UTC
RE: [Fedora-directory-users] Issue with fine-grained password policy
> Date: Thu, 26 Oct 2006 12:06:08 -0500> From: "Greg Copeland" <GCopeland@efjohnson.com>>> > Actually PADL''s pam_ldap has had support for Netscape password policy >> > for many years - you just have to enable it and tell it the DN of the >> > policy object. Recently support has also been added for the IETF draft > > Can you expand on the "...tell it the DN..." part there?I misspoke. When you configure the pam_lookup_policy keyword pam_ldap will do an anonymous search in the rootDSE with a filter (objectclass=passwordPolicy) and use what it finds there. So the only requirement is that you give anonymous enough privileges to perform the search. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
Greg Copeland
2006-Oct-27 20:53 UTC
RE: [Fedora-directory-users] Issue with fine-grained password policy
Great. Thanks. When I read that I was wondering if I had skipped a step. Cheers, Greg Copeland> -----Original Message----- > From: fedora-directory-users-bounces@redhat.com[mailto:fedora-directory-> users-bounces@redhat.com] On Behalf Of Howard Chu > Sent: Friday, October 27, 2006 9:57 AM > To: fedora-directory-users@redhat.com > Subject: RE: [Fedora-directory-users] Issue with fine-grained password > policy > > > Date: Thu, 26 Oct 2006 12:06:08 -0500 > > From: "Greg Copeland" <GCopeland@efjohnson.com> > > >> > Actually PADL''s pam_ldap has had support for Netscape passwordpolicy> >> > for many years - you just have to enable it and tell it the DN ofthe> >> > policy object. Recently support has also been added for the IETF > draft > > > > Can you expand on the "...tell it the DN..." part there? > > I misspoke. When you configure the pam_lookup_policy keyword pam_ldap > will do an anonymous search in the rootDSE with a filter > (objectclass=passwordPolicy) and use what it finds there. So the only > requirement is that you give anonymous enough privileges to performthe> search. > > -- > -- Howard Chu > Chief Architect, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc > OpenLDAP Core Team http://www.openldap.org/project/ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users