LDAP Password Policy and OpenDS
By Srikanth Konjarla on Sep 23, 2008
Password Policy has become an essential and integral part of user account management and many enterprises implement it regardless of the data sources. The most popular data repository for user authentication is LDAP. So, enterprises would obviously looking for a Password Policy on the accounts that are maintained in the LDAP server.
I have been to customers where a LDAP server provides a proprietary Password Policy implementation sometimes it makes it very difficult to accommodate new applications into the system, it makes it difficult to migrate to a new LDAP server for an enterprise. Most importantly, it becomes impossible for any application developer to write Password Policy code that would work with any LDAP server.
Essentially, the LDAP Password Policy is an Internet Draft provides the details of Password Policy implementation for a LDAP server such as OpenDS. Here is the link to the Password Policy implementation of OpenDS.
While we are on the Password Policy topic, I would like to present a real time experience with few LDAP applications that I have come across that implement proprietary password policies. I have worked with some applications (rather products) that would maintain a bunch of attributes to track the password changes such as last login time of the user etc. This means that every time a user accesses an application, the user's LDAP entry is updated. Imagine the number of “Write” operations in a multi-million entry deployment of LDAP server.
To provide a better performance and compatibility with the Password Policy Internet Draft OpenDS generates these attributes are automatically for application developers' convenience.