• 注册日期: 2011-06-23
  • 文章数: 7

主题: openldap 蜜码策略

最近公司要求邮箱服务器支持强制密长度与一月改一次密码.我查了一下本BBS没有查到有用的相关信息,我查了一下openldap的guide 里面说是可以支持密码策略的.想请问一下iredmail的大牛们能否把它加到下一个版本里.或者有什么变通的方法让openldap 的密码策略信息反馈到webmail.让用户知道自己密码快过期了.
    The user is allowed to change his own password. Note that the directory ACLs for this attribute can also affect this ability (pwdAllowUserChange: TRUE).
    The name of the password attribute is “userPassword” (pwdAttribute: userPassword). Note that this is the only value that is accepted by OpenLDAP for this attribute.
    The server will check the syntax of the password. If the server is unable to check the syntax (i.e., it was hashed or otherwise encoded by the client) it will return an error refusing the password (pwdCheckQuality: 2).
    When a client includes the Password Policy Request control with a bind request, the server will respond with a password expiration warning if it is going to expire in ten minutes or less (pwdExpireWarning: 600). The warnings themselves are returned in a Password Policy Response control.
    When the password for a DN has expired, the server will allow five additional “grace” logins (pwdGraceAuthNLimit: 5).
    The server will maintain a history of the last five passwords that were used for a DN (pwdInHistory: 5).
    The server will lock the account after the maximum number of failed bind attempts has been exceeded (pwdLockout: TRUE).
    When the server has locked an account, the server will keep it locked until an administrator unlocks it (pwdLockoutDuration: 0)
    The server will reset its failed bind count after a period of 30 seconds.
    Passwords will not expire (pwdMaxAge: 0).
    Passwords can be changed as often as desired (pwdMinAge: 0).
    Passwords must be at least 5 characters in length (pwdMinLength: 5).
    The password does not need to be changed at the first bind or when the administrator has reset the password (pwdMustChange: FALSE)
    The current password does not need to be included with password change requests (pwdSafeModify: FALSE)
    The server will only allow five failed binds in a row for a particular DN (pwdMaxFailure: 5).

现在我想用ldapmodify 来为目录里全部用户添加一个pwdPolicy 的ojectclass ,要怎么做.我只会用ldapmodify修改attribute的,谢谢大家.

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: openldap 蜜码策略

OpenLDAP 提供了 ppolicy overlay 来处理密码策略,但是我一直无法在 OpenLDAP-2.3.x 里让它顺利工作,所以迟迟未整合进去。

另外一种策略:
iRedMail 的 LDAP 用户帐号默认都带有 objectClass=shadowAccount,并且自 iRedMail-0.7.x 以来,通过 webmail 修改密码都会更新 pwdLastChange 属性。剩下的就是在 iRedAPD 里增加一个插件,用来检测最后一次修改密码的时候和你指定的一月改一次密码的策略是否符合,如果不符合,拒绝发送邮件并给客户端提示相关信息,例如:您必须立刻修改密码才能发送邮件。当然,必须是英文信息。

如果使用的是 iRedMail-0.7.x MySQL backend,有现成方案可用,无需任何插件:
http://iredmail.org/wiki/index.php?titl … in.90.Days

  • 注册日期: 2011-06-23
  • 文章数: 7

回复: openldap 蜜码策略

怎样在iRedAPD增加插件?

  • 注册日期: 2009-12-18
  • 文章数: 2,864

回复: openldap 蜜码策略

目前没有现成的插件,您需要自行开发。

  • 注册日期: 2010-02-10
  • 文章数: 301

回复: openldap 蜜码策略

用apache限制ip
或者htaccess不就行了吗