Using Password
Policy
Documentation applicable for LemonLDAP::NG
>= 0.9.1
The Password
Policy Standard
Password Policy is still now a draft of an LDAPv3
extension and can be read here:
https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt
(en). Some LDAP servers implements it, like OpenLDAP and its ppolicy
overlay.
Prerequisites
Compliant LDAP
server
Your LDAP server must provide the LDAP Password
Policy Control (OID: 1.3.6.1.4.1.42.2.27.8.5.1).
Documentation on how to set ppolicy in OpenLDAP
can be found here:
http://www.linagora.org/article165.html
(fr).
Perl Net::LDAP
module
The Net::LDAP::Control::PasswordPolicy is
available since Perl-LDAP 0.36. But some bugs relative to this modules wer
found, so we advice to take at leaste 0.39. Please update your Perl
installation if you want to deal with Password Policy in LemonLDAP::NG:
http://ldap.perl.org/ (en).
Password Policy in
LemonLDAP::NG
The Password Policy functionality is available
since LemonLDAP::NG 0.9.1. It allows to display on the portal page 2 new
error messages:
- Your account is locked
- Your password has expired
Since LemonLDAP:NG 0.9.3, password policy is also used in menu, with
the password changement form. It handles the following errors:
- Password too short
- Password in history
- Password too young
LemonLDAP::NG also notify the user for:
- Password expiration time
- Password graces used
To activate Password Policy, you have to set a new parameter inside
you portal perl script (e.g. portal/index.pl), like:
#!/usr/bin/perl
use Lemonldap::NG::Portal::SharedConf;
my $portal = Lemonldap::NG::Portal::SharedConf->new(
{
configStorage => {
type => 'File',
dirName => '/var/lib/config',
},
ldapPpolicyControl => 1,
}
);