Specification for a new Password Change framework¶

• Instead of directly modifying the userPassword attribute, lets start using the EXOP change password protocol. This protocol enables one to change LDAP passwords using and LDAP API.

• Enable the slap-ppolicy overlay to do strength checking of passwords. We can do password aging, account blocking on n failed passwords, password strength checking, checking against last n passwords and so on all on the server side. Then irrespective of what tool is used to change the password, the same restrictions will apply. At the moment, we can support the following tools to change passwords via slap-ppolicy: pam_ldap, SOGo and EasyPush (admin-end & user-end).

• Check out the slapo-ppolicy man page for more details on about this overlay's features.

• We can then use the following set of overlays to update the shadow and samba information: https://dev.ece.ubc.ca/projects/ecelinux/browser/openldap-modules/tags/1.0

• Also check out the following discussion: http://serverfault.com/questions/185925/openldap-samba-and-password-aging/198757#198757

• We can also enable this overlay to use cracklib to test for password strength: http://open.calivia.com/projects/openldap/wiki