Password Policy setup

[FarquahrWindsor]

More importantly is there anything in the pipeline with Zentyal?

In the use of ppolicy overlays as it would be a terrible choice of one or the other and not both.

Its not a bias yeah I said SSO but in the realworld when it comes to interoperability its a unfortunate fact that it provides for more.

[otoh]

Sorry to dig up an old thread, but the previous messages in it are relevant, I feel.

I'm just setting up a Zentyal server and am very keen to enforce at least some kind of password strength - I don't necessarily need expiration etc, but do need them to be a certain length and have eg punctuation in them.

It seems a bit thorny what with the LDAP setup. I wondered if it is possible to somehow hook into the user corner module? This is the only way that users would change their password; if I could somehow intercept the request and accept or reject it (via whatever script language), that would work - even though granted it's not the 'proper' way to do it. (Of course this wouldn't apply to password changes via the admin side - but I would make good passwords anyway.)

I just haven't figured out yet where to find the relevant files that handle the actual user-facing interface of the user corner. Any pointers?

[otoh]

I'm replying to my last post - it set me off on a slightly different direction, and I think I have a solution:
http://technology.mattrude.com/2010/11/ldap-php-change-password-webpage/

It's a nice PHP script for changing an LDAP password. As in my post above, it's not a 'real' password policy; but by disabling the user corner and pointing folk to this page on the (secure!) web site running on Zentyal, it fulfils my needs.

It requires a few mods - apt-get install php5-ldap - and a few small changes to the script, since the zentyal LDAP server doesn't support anonymous queries. I need to tidy it a bit but if anyone is interested, let me know and I'll post the changes.

[christian]

For what you target, that is not password policy but controls added at interface level (why not if it fits your needs), be sure that access to LDAP is blocked except for this application otherwise one malicious user may connect to LDAP and change its own password bypassing your "policy" 

[otoh]

For what you target, that is not password policy but controls added at interface level (why not if it fits your needs), be sure that access to LDAP is blocked except for this application otherwise one malicious user may connect to LDAP and change its own password bypassing your "policy" 

Exactly - I know it's not a 'policy' as such - I read up on the ways of doing it either via PAM or Samba and it made my head hurt! But this PHP script is the only method I will give users to change their password - all I really needed was some way to make sure they chose a secure one.