Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   slapo-ppolicy    ( 5 )

наложение политики паролей на slapd (Password Policy overlay to slapd)

Конфигурация (Configuration)

These slapd.conf configuration options apply to the ppolicy overlay. They should appear after the overlay directive.

ppolicy_default <policyDN> Specify the DN of the pwdPolicy object to use when no specific policy is set on a given user's entry. If there is no specific policy for an entry and no default is given, then no policies will be enforced.

ppolicy_forward_updates Specify that policy state changes that result from Bind operations (such as recording failures, lockout, etc.) on a consumer should be forwarded to a provider instead of being written directly into the consumer's local database. This setting is only useful on a replication consumer, and also requires the updateref setting and chain overlay to be appropriately configured.

ppolicy_hash_cleartext Specify that cleartext passwords present in Add and Modify requests should be hashed before being stored in the database. This violates the X.500/LDAP information model, but may be needed to compensate for LDAP clients that don't use the Password Modify extended operation to manage passwords. It is recommended that when this option is used that compare, search, and read access be denied to all directory users.

ppolicy_use_lockout A client will always receive an LDAP InvalidCredentials response when Binding to a locked account. By default, when a Password Policy control was provided on the Bind request, a Password Policy response will be included with no special error code set. This option changes the Password Policy response to include the AccountLocked error code. Note that sending the AccountLocked error code provides useful information to an attacker; sites that are sensitive to security issues should not enable this option.

ppolicy_send_netscape_controls If set, ppolicy will send the password policy expired (2.16.840.1.113730.3.4.4) and password policy expiring (2.16.840.1.113730.3.4.5) controls when appropriate. The controls are not sent for bind requests where the Password policy control has already been requested. Default is not to send the controls.

ppolicy_check_module <path> Specify the path of a loadable module containing a check_password() function for additional password quality checks. The use of this module is described further below in the description of the pwdPolicyChecker objectclass.

Note: The user-defined loadable module must be in slapd's standard executable search PATH, or an absolute path must be provided.

Note: Use of a ppolicy_check_module is a non-standard extension to the LDAP password policy proposal.