LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 09-12-2011, 11:55 AM   #1
guttersnipe
LQ Newbie
 
Registered: Jun 2007
Distribution: Gentoo, Ubuntu
Posts: 23

Rep: Reputation: 0
ApacheDS Password Policy


Hello Linux Server Gurus,

Does ApacheDS have the ability to implement password policies?

I'm trying to setup an LDAP server in my environment. I did some research between different FOSS LDAP servers, and I've decided that ApacheDS might be our best option for stability & easy management/administration. Unfortunately, the ApacheDS project is not very well documented :\

My environment must be PCI compliant, so my LDAP user's passwords have several policy requirements that must be met. For example, in PCI DSS v2:

* section 8.5.9 requires us to "change user passwords at least every 90 days."
* section 8.5.11 requires us to "use passwords containing both numeric and alphabetic characters"
* section 8.5.12 requires that we "not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used."
* section 8.5.13 requires us to "limit repeated access attempts by locking out the user ID after not more than six attempts."
* section 8.5.14 requires us to "set the lockout duration to a minimum of 30 minutes or until [an] administrator enables the user ID."
* section 8.5.15 requires "if a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session"

I know that ApacheDS can be configured using "policyPasswordLength" and "policyCategoryCount", but these 2 options are not sufficient for my needs.

Can ApacheDS support this sort of password policy? If not, which LDAP server does?


TIA,
Michael

Last edited by guttersnipe; 09-12-2011 at 11:57 AM.
 
Old 09-13-2011, 03:24 AM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,937

Rep: Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330Reputation: 1330
Hi,

I haven't use apacheDS, so after taking a look at its documentation, it looks like it does not have the options you want.
From my past experience with SunOne (former Iplanet and now Oracle) directory server, I know that this ldap server does fulfill your request.
The same goes with the RHEL/Centos Directory Server and the Fedora 389 Directory Server, because all of them are derived from exSun's Directory Server.
You can have a look at RHEL's documentation for more details.
You didn't mention your distro, but all of the above can be run only in RHEL based distros.
So if you want a free product go with Centos and its Directory Server (or Fedora if you want something more fancy) and if you need paid support go with RHEL or Oracle Directory Server.

Regards
 
  


Reply

Tags
ldap, openldap, passwords, policy


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
password policy Nick Pontelando Linux - Security 9 08-15-2012 09:50 AM
How to set the password policy and lockout policy bin_shell Linux - Security 4 03-24-2010 03:30 PM
Password policy vbo Linux - Security 3 07-09-2009 05:16 PM
Password Policy jagnikam Linux - Security 1 08-22-2008 02:47 PM
password policy ust Linux - Software 0 12-05-2005 12:44 AM


All times are GMT -5. The time now is 01:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration