SUMMARY: LDAP Authentication and C2

From: UCX Foe (ucxfoe@yahoo.com)
Date: Wed Oct 16 2002 - 17:02:18 EDT

• Next message: Jonathan Williams: "UPDATE: Clearing a port"
• Previous message: Jonathan Williams: "Clearing a port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Looks like a non-starter for us but someone searching the
archives might benefit so here goes.

/b

--- Original Message ---
> Does anyone know what C2 knobs need to be twiddled/disabled
> when using the LDAP Module for System Authentication? Specifically,
> can password aging be implemented?

--- Pat O'Brien (thread with TruHP engineering) ---

> I was looking to implement the c2 feature of expiring passwords in
> a ldap configuration. Would you know if this has been done, and
> where I could look?

That would require either us (Internet Express/IASS) modifying the
ldap record schema to include more information about password change
time and then within the ldap SIA mechanism actually perform the
checks for password expiration or you could write your own ldap SIA
mechanism and have your own schema that supports the password
expiration feature...

As far as I know, the product we ship does not support that option
(yet). I did put the bug in the ear of the engineering manager today
though - so who knows, sometime soon it could.

Remember than the ldap product we provide merely provides a central
repository for passwd data - that is instead of having a user's
passwd struct information in the /etc/passwd file - it's in an ldap
directory.

Another options would be to use Enhanced Security and ldap together
and configure ES to do what you want. Since, the ldap mechanism is
just providing 'passwd' style records and I'm pretty sure with the
proper configuration, you'd get what you want. What that config would
be would depend on what features of ES you wish to utilize... I
understand not everyone likes the idea of "going to" Enhanced
Security, but you can configure it on a v5 system to be in "shadow
password" mode and utilize a number of the password expiration/reuse
feature provided.

--- Manish Vashi ---

Yes when using LDAP you need to disable C2.

--- Dave Love ---
I don't know about aging specifically, but editing the expiry date
directly worked for me in a quick test. (Tested with
directory_administrator editing an OpenLDAP database.)

no, not yet. I previously had contact in engineering on this same
question in november of last year. We then followed this up with
at the high performance symposium last june in florida.

• Next message: Jonathan Williams: "UPDATE: Clearing a port"
• Previous message: Jonathan Williams: "Clearing a port"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:48:56 EDT