On Mon, 2009-10-05 at 11:31 +0200, Sumit Bose wrote: > Hi, > > there are two schemes of password management with LDAP servers > - the LDAP server supports attributes like 'shadowLastChange', > 'shadowExpire' etc to store the relevant information at a central > storage, but the evaluation is done on the client > - the server supports password policies (see > http://tools.ietf.org/html/draft-behera-ldap-password-policy-10 ) > and all management and evaluation is done on the server side. > > My question is whether we shall support the first one as a 'legacy' > option (pam_ldap does), or if we should only implement to the second > one?
We should certainly support the latter, but I don't like the former schema much. > Btw. I think currently the LDAP component of IPA supports none of the > above. IPA uses the kerberos schema to set expiration time (same kind of checks you may do against the shadow schema), and in v2 Rob has been working to integrate with the 389DS password policy engine. In any case we are planning to support the Behera draft in the future. Maybe we could have some generic code that can check either the classic shadow schema or the krb attibutes by means of simply configuring the attributes to check and the time format used ? Simo. _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
