ApacheDS Password Policy

guttersnipe · 09-12-2011, 11:55 AM

Hello Linux Server Gurus,

Does ApacheDS have the ability to implement password policies?

I'm trying to setup an LDAP server in my environment. I did some research between different FOSS LDAP servers, and I've decided that ApacheDS might be our best option for stability & easy management/administration. Unfortunately, the ApacheDS project is not very well documented :\

My environment must be PCI compliant, so my LDAP user's passwords have several policy requirements that must be met. For example, in PCI DSS v2:

* section 8.5.9 requires us to "change user passwords at least every 90 days."
* section 8.5.11 requires us to "use passwords containing both numeric and alphabetic characters"
* section 8.5.12 requires that we "not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used."
* section 8.5.13 requires us to "limit repeated access attempts by locking out the user ID after not more than six attempts."
* section 8.5.14 requires us to "set the lockout duration to a minimum of 30 minutes or until [an] administrator enables the user ID."
* section 8.5.15 requires "if a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session"

I know that ApacheDS can be configured using "policyPasswordLength" and "policyCategoryCount", but these 2 options are not sufficient for my needs.

Can ApacheDS support this sort of password policy? If not, which LDAP server does?

TIA,
Michael

bathory · 09-13-2011, 03:24 AM

Hi,

I haven't use apacheDS, so after taking a look at its documentation, it looks like it does not have the options you want.
From my past experience with SunOne (former Iplanet and now Oracle) directory server, I know that this ldap server does fulfill your request.
The same goes with the RHEL/Centos Directory Server and the Fedora 389 Directory Server, because all of them are derived from exSun's Directory Server.
You can have a look at RHEL's documentation for more details.
You didn't mention your distro, but all of the above can be run only in RHEL based distros.
So if you want a free product go with Centos and its Directory Server (or Fedora if you want something more fancy) and if you need paid support go with RHEL or Oracle Directory Server.

Regards