PAM LDAP authentication password policy questions
I'd like to implement a password policy for the users in my ldap db.
I'm using RHEL openldap as the server and RHEL/solaris/etc as ldap clients.
How can I accomplish the following:
1 - Automatic password expiration.
2 - X days warning in advance of expiration.
3 - Force user to change password before expiration ! Is this even possible??
4 - Verify password complexity for new passwords.
There is a schema file with definitions that seem to deal with some of the above:
nis.schema - shadowMax, shadowWarning, shadowExpire
In my ldap db, these are user-properties, so not part of a policy profile and the nis.schema does not seem to facilitate a forced password change before passwords expire.
I tried fiddling with these properties, but without the desired results.
If there are arguments that could be made why forcing users to change their passwords before expiration is a bad idea, I'd gladly hear them.