ApacheDS Password Policy
Hello Linux Server Gurus,
Does ApacheDS have the ability to implement password policies?
I'm trying to setup an LDAP server in my environment. I did some research between different FOSS LDAP servers, and I've decided that ApacheDS might be our best option for stability & easy management/administration. Unfortunately, the ApacheDS project is not very well documented :\
My environment must be PCI compliant, so my LDAP user's passwords have several policy requirements that must be met. For example, in PCI DSS v2:
* section 8.5.9 requires us to "change user passwords at least every 90 days."
* section 8.5.11 requires us to "use passwords containing both numeric and alphabetic characters"
* section 8.5.12 requires that we "not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used."
* section 8.5.13 requires us to "limit repeated access attempts by locking out the user ID after not more than six attempts."
* section 8.5.14 requires us to "set the lockout duration to a minimum of 30 minutes or until [an] administrator enables the user ID."
* section 8.5.15 requires "if a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session"
I know that ApacheDS can be configured using "policyPasswordLength" and "policyCategoryCount", but these 2 options are not sufficient for my needs.
Can ApacheDS support this sort of password policy? If not, which LDAP server does?
I haven't use apacheDS, so after taking a look at its documentation, it looks like it does not have the options you want.
From my past experience with SunOne (former Iplanet and now Oracle) directory server, I know that this ldap server does fulfill your request.
The same goes with the RHEL/Centos Directory Server and the Fedora 389 Directory Server, because all of them are derived from exSun's Directory Server.
You can have a look at RHEL's documentation for more details.
You didn't mention your distro, but all of the above can be run only in RHEL based distros.
So if you want a free product go with Centos and its Directory Server (or Fedora if you want something more fancy) and if you need paid support go with RHEL or Oracle Directory Server.
|All times are GMT -5. The time now is 10:42 AM.|