Le 01/09/2017 à 10:23, Sebastian Perkins - Hoist Group - Switzerland a
écrit :
Hi everyone,
Hello Sebastian,
We have been using ssp since 8 months and all is great. However, we
have to comply with some password rules from a major customer.
·Password complexity : that’s ok ssp handles that great
·Change password after x days : this is where things get tricky, we
are thinking of
ousing ldap ppolicy extension just to “lockout” the account after X days
osending a reminder via email
ouser groans as he is locked out :D
ossp then is used as of today to change the password
·(ideally) password history is challenged (I know I know php-ldap…)
Excluding the password history bullet, is this ok with ssp ?
There is a difference between a locked password and an expired password,
you can see it if you read the password policy draft.
In your case, it seems you are talking about password expiration. It is
indeed managed by LDAP directory. You can find here a small script to
send reminder by email if you need one:
https://github.com/ltb-project/ldap-scripts/blob/master/checkLdapPwdExpiration.sh.
There is also a PR to rewrite it in PHP:
https://github.com/ltb-project/self-service-password/pull/139
If password is expired, user will not be able to change it (as old
password will be rejected). He can reset it by mail or SMS.
Password history is next step discussion, I do remember an old thread
to directly extract the ldap policy info…
Yes, there is also a PR on this subject:
https://github.com/ltb-project/self-service-password/pull/101. It still
need some work.
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot
_______________________________________________
ltb-users mailing list
[email protected]
https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users
