<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<meta name="generator" content=
"HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" />
<title>Lemonldap::NG documentation:
4.8-Configure-password-policy.html</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<style type="text/css">
/*<![CDATA[*/
body{
background: #ddd;
font-family: sans-serif;
font-size: 11pt;
padding: 0 50px;
}
div.main-content{
padding: 10px;
background: #fff;
border: 2px #ccc solid;
}
a{
text-decoration: none;
}
p.footer{
text-align: center;
margin: 5px 0 0 0;
}
.heading-1{
text-align: center;
color: orange;
font-variant: small-caps;
font-size: 20pt;
}
.heading-1-1{
color: orange;
font-size: 14pt;
border-bottom: 2px #ccc solid;
}
pre{
background: #eee;
border: 2px #ccc solid;
padding: 5px;
border-left: 10px #ccc solid;
}
ul.star li{
list-style-type: square;
}
/*]]>*/
</style>
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id="HUsingPasswordPolicy">Using Password
Policy</span></h2>
<p class="paragraph"></p>
<ul>
<li><a href="#HThePasswordPolicyStandard">The Password Policy
Standard</a></li>
<li>
<a href="#HPrerequisites">Prerequisites</a>
<ul>
<li><a href="#HCompliantLDAPserver">Compliant LDAP server</a></li>
<li><a href="#HPerlNet3A3ALDAPmodule">Perl Net::LDAP module</a></li>
</ul>
</li>
<li><a href="#HPasswordPolicyinLemonLDAP3A3ANG">Password Policy in
LemonLDAP::NG</a></li>
<li><a href="#HSeealso">See also</a></li>
</ul><strong class="strong">Documentation applicable for LemonLDAP::NG
>= 0.9.1</strong>
<h3 class="heading-1-1"><span id="HThePasswordPolicyStandard">The Password
Policy Standard</span></h3>
<p class="paragraph"></p>Password Policy is still now a draft of an LDAPv3
extension and can be read here: <span class="wikiexternallink"><a href=
"https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt">
https://opends.dev.java.net/public/standards/draft-behera-ldap-password-policy.txt</a></span>
(en). Some LDAP servers implements it, like OpenLDAP and its ppolicy
overlay.
<h3 class="heading-1-1"><span id=
"HPrerequisites">Prerequisites</span></h3>
<h4 class="heading-1-1-1"><span id="HCompliantLDAPserver">Compliant LDAP
server</span></h4>
<p class="paragraph"></p>Your LDAP server must provide the LDAP Password
Policy Control (OID: 1.3.6.1.4.1.42.2.27.8.5.1).
<p class="paragraph"></p>Documentation on how to set ppolicy in OpenLDAP
can be found here: <span class="wikiexternallink"><a href=
"http://www.linagora.org/contrib/annuaires/documentations/overlay_ppolicy_openldap">
http://www.linagora.org/contrib/annuaires/documentations/overlay_ppolicy_openldap</a></span>
(fr).
<h4 class="heading-1-1-1"><span id="HPerlNet3A3ALDAPmodule">Perl Net::LDAP
module</span></h4>
<p class="paragraph"></p>The Net::LDAP::Control::PasswordPolicy is
available since Perl-LDAP 0.36. But some bugs relative to this modules wer
found, so we advice to take at leaste 0.39. Please update your Perl
installation if you want to deal with Password Policy in LemonLDAP::NG:
<span class="wikiexternallink"><a href=
"http://ldap.perl.org/">http://ldap.perl.org/</a></span> (en).
<h3 class="heading-1-1"><span id=
"HPasswordPolicyinLemonLDAP3A3ANG">Password Policy in
LemonLDAP::NG</span></h3>
<p class="paragraph"></p>The Password Policy functionality is available
since LemonLDAP::NG 0.9.1. It allows to display on the portal page 2 new
error messages:
<ul class="star">
<li>Your account is locked</li>
<li>Your password has expired</li>
</ul>Since LemonLDAP:NG 0.9.3, password policy is also used in menu, with
the password changement form. It handles the following errors:
<ul class="star">
<li>Password too short</li>
<li>Password in history</li>
<li>Password too young</li>
</ul>LemonLDAP::NG also notify the user for:
<ul class="star">
<li>Password expiration time</li>
<li>Password graces used</li>
</ul>Since LemonLDAP:NG 0.9.4, password policy can be used to force
password change is the password was reset (attribute pwdReset: TRUE in
user entry).
<p class="paragraph"></p>To activate Password Policy, you have to set a
new parameter inside you portal perl script (e.g. portal/index.pl), like:
<p class="paragraph"></p>
<div class="code">
<pre>
#!/usr/bin/perl<br /><br />use Lemonldap::NG::Portal::SharedConf;<br /><br />my $portal = Lemonldap::NG::Portal::SharedConf-><span class="java-keyword">new</span>(
{
configStorage => {
type => 'File',
dirName => '/<span class="java-keyword">var</span>/lib/config',
},
<b class="bold">ldapPpolicyControl => 1</b>,
}
);
</pre>
</div>
<h3 class="heading-1-1"><span id="HSeealso">See also</span></h3>
<ul class="star">
<li><span class="wikilink"><a href=
"4.5-LDAP-authentication-backend.html">Auth LDAP</a></span></li>
<li><span class="wikilink"><a href=
"4.7-LDAP-password-backend.html">Password DBLDAP</a></span></li>
</ul>
</div>
<p class="footer"><a href="index.html">Index</a></p>
</body>
</html>
