Phil Pennock wrote:
On 2007-10-24 at 16:57 -0500, Peter da Silva wrote:
A wrapper script to avoid the whole PAM mess and just provide passwd(1)
compatibility by also calling ldappasswd from OpenLDAP? Crude but
effective? Or do users need to be able to change passwords from GUI
tools and automatically at login with (*spit*) expiration policies?
*Hey!* Careful with those expiration policies!
Expiration policies are wonderful things, enhancing security and encouraging
exploration. Without them, how would I ever find out that fuck,You is a
legitimate password on a system that thinks it only permits passwords of 12 or
more characters, *and* has an (apparently overly sanitized) dictionary for
validating password security? Not to mention all the ubersecure passwords
produced by walking on the keyboard with one's fingertips.
