<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr"> <head> <meta name="generator" content= "HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" /> <title>Lemonldap::NG documentation: 4.8-Configure-password-policy.html</title> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> <style type="text/css"> /*<![CDATA[*/ body{ background: #ddd; font-family: sans-serif; font-size: 11pt; padding: 0 50px; } div.main-content{ padding: 10px; background: #fff; border: 2px #ccc solid; } a{ text-decoration: none; } p.footer{ text-align: center; margin: 5px 0 0 0; } .heading-1{ text-align: center; color: orange; font-variant: small-caps; font-size: 20pt; } .heading-1-1{ color: orange; font-size: 14pt; border-bottom: 2px #ccc solid; } pre{ background: #eee; border: 2px #ccc solid; padding: 5px; border-left: 10px #ccc solid; } ul.star li{ list-style-type: square; } /*]]>*/ </style> </head> <body> <div class="main-content"> <h2 class="heading-1"><span id="HUsingPasswordPolicy">Using Password Policy</span></h2> <p class="paragraph"></p> <ul> <li><a href="#HThePasswordPolicyStandard">The Password Policy Standard</a></li> <li> <a href="#HPrerequisites">Prerequisites</a> <ul> <li><a href="#HCompliantLDAPserver">Compliant LDAP server</a></li> <li><a href="#HPerlNet3A3ALDAPmodule">Perl Net::LDAP module</a></li> </ul> </li> <li><a href="#HPasswordPolicyinLemonLDAP3A3ANG">Password Policy in LemonLDAP::NG</a></li> <li><a href="#HSeealso">See also</a></li> </ul><strong class="strong">Documentation applicable for LemonLDAP::NG >= 0.9.1</strong> <h3 class="heading-1-1"><span id="HThePasswordPolicyStandard">The Password Policy Standard</span></h3> <p class="paragraph"></p>Password Policy is still now a draft of an LDAPv3 extension and can be read here: <span class="wikiexternallink"><a href= "https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt"> https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt</a></span> (en). Some LDAP servers implements it, like OpenLDAP and its ppolicy overlay. <h3 class="heading-1-1"><span id= "HPrerequisites">Prerequisites</span></h3> <h4 class="heading-1-1-1"><span id="HCompliantLDAPserver">Compliant LDAP server</span></h4> <p class="paragraph"></p>Your LDAP server must provide the LDAP Password Policy Control (OID: 1.3.6.1.4.1.42.2.27.8.5.1). <p class="paragraph"></p>Documentation on how to set ppolicy in OpenLDAP can be found here: <span class="wikiexternallink"><a href= "http://www.linagora.org/contrib/annuaires/documentations/overlay_ppolicy_openldap"> http://www.linagora.org/contrib/annuaires/documentations/overlay_ppolicy_openldap</a></span> (fr). <h4 class="heading-1-1-1"><span id="HPerlNet3A3ALDAPmodule">Perl Net::LDAP module</span></h4> <p class="paragraph"></p>The Net::LDAP::Control::PasswordPolicy is available since Perl-LDAP 0.36. But some bugs relative to this modules wer found, so we advice to take at leaste 0.39. Please update your Perl installation if you want to deal with Password Policy in LemonLDAP::NG: <span class="wikiexternallink"><a href= "http://ldap.perl.org/">http://ldap.perl.org/</a></span> (en). <h3 class="heading-1-1"><span id= "HPasswordPolicyinLemonLDAP3A3ANG">Password Policy in LemonLDAP::NG</span></h3> <p class="paragraph"></p>The Password Policy functionality is available since LemonLDAP::NG 0.9.1. It allows to display on the portal page 2 new error messages: <ul class="star"> <li>Your account is locked</li> <li>Your password has expired</li> </ul>Since LemonLDAP:NG 0.9.3, password policy is also used in menu, with the password changement form. It handles the following errors: <ul class="star"> <li>Password too short</li> <li>Password in history</li> <li>Password too young</li> </ul>LemonLDAP::NG also notify the user for: <ul class="star"> <li>Password expiration time</li> <li>Password graces used</li> </ul>Since LemonLDAP:NG 0.9.4, password policy can be used to force password change is the password was reset (attribute pwdReset: TRUE in user entry). <p class="paragraph"></p>To activate Password Policy, you have to set a new parameter inside you portal perl script (e.g. portal/index.pl), like: <p class="paragraph"></p> <div class="code"> <pre> #!/usr/bin/perl<br /><br />use Lemonldap::NG::Portal::SharedConf;<br /><br />my $portal = Lemonldap::NG::Portal::SharedConf-><span class="java-keyword">new</span>( { configStorage => { type => 'File', dirName => '/<span class="java-keyword">var</span>/lib/config', }, <b class="bold">ldapPpolicyControl => 1</b>, } ); </pre> </div> <h3 class="heading-1-1"><span id="HSeealso">See also</span></h3> <ul class="star"> <li><span class="wikilink"><a href= "4.5-LDAP-authentication-backend.html">Auth LDAP</a></span></li> <li><span class="wikilink"><a href= "4.7-LDAP-password-backend.html">Password DBLDAP</a></span></li> </ul> </div> <p class="footer"><a href="index.html">Index</a></p> </body> </html>