RSS feed

Re: Plans for implementing ppolicy?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Plans for implementing ppolicy?

FWIW, I still use an older version of nss-pam-ldapd on some of my Ubuntu 
systems (package version 0.7.6-1 on Hardy & Lucid, which includes a few 
backported changes, but certainly not as new ast 0.8.3) w/ ppolicy, and it 
works just fine in terms of locking out users for password expiry, failed 
consecutive logins, and so on.  Maybe I'm not understanding the issue you are 
dealing with clearly?  We also have some newer systems that use nssov (which 
uses nss-ldapd under the hood) if it's an option for you - we've gotten our 
desired results from that setup as well.

Arthur de Jong wrote:
> On Tue, 2012-09-11 at 11:39 -0600, Ryan Kish wrote:
>> I have been working on improving my ldap setup for some time. On my
>> list of action items is password aging and failed login attempt
>> lockouts. Per the documentation, it's clear that this is not yet
>> supported, and my testing seems to confirm that. (currently working on
>> a standard ppolicy setup).
> nss-pam-ldapd indeed currently doesn't support LDAP ppolicy. For
> password ageing using the shadow attributes is recommended. Versions of
> nss-pam-ldapd since 0.8.3 check shadow attributes always, before that
> you would have to rely on pam_unix checking shadow attributes.
>> my question is if/when there are plans to actually implement ppolicy
>> in nslcd and the supporting libraries?  If there is no plans, does
>> anyone have pointers on work arounds I could attempt to achieve my
>> goals?
> If you're willing to implement this in nslcd I can assist. I've had a
> look a little while back but only made a very small start. Some pointers
> here:
> If anyone else has time to look at this now I would welcome patches for
> it.
> Thanks,

Ryan Steele                          
Systems Administrator                          +1 215-825-2196 x758
AWeber Communications                
To unsubscribe send an email to or see