File: authad.html

package info (click to toggle)
lemonldap-ng 1.9.7-3%2Bdeb9u2
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 39,024 kB
  • sloc: perl: 37,552; makefile: 922; sh: 472; sql: 5
file content (131 lines) | stat: -rw-r--r-- 6,333 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:1.9:authad</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,1.9,authad"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authad.html"/>
<link rel="contents" href="authad.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:1.9';var JSINFO = {"id":"documentation:1.9:authad","namespace":"documentation:1.9"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div></li>
<li class="level1"><div class="li"><a href="#ad_password_policy">AD password policy</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="active_directory">Active Directory</h1>
<div class="level1">
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
	<thead>
	<tr class="row0 roweven">
		<th class="col0 centeralign">  Authentication  </th><th class="col1 centeralign">  Users  </th><th class="col2 centeralign">  Password  </th>
	</tr>
	</thead>
	<tr class="row1 rowodd">
		<td class="col0 centeralign">  ✔  </td><td class="col1 centeralign">  ✔  </td><td class="col2 centeralign">  ✔  </td>
	</tr>
</table></div>
<!-- EDIT2 TABLE [33-102] -->
</div>
<!-- EDIT1 SECTION "Active Directory" [1-103] -->
<h2 class="sectionedit3" id="presentation">Presentation</h2>
<div class="level2">

<p>
The Active Directory module is based on the <a href="authldap.html" class="wikilink1" title="documentation:1.9:authldap">LDAP module</a>, with these features:
</p>
<ul>
<li class="level1"><div class="li"> Specific default values for filters to match AD schema</div>
</li>
<li class="level1"><div class="li"> Compatible password modification</div>
</li>
<li class="level1"><div class="li"> Reset password on next logon workflow</div>
</li>
</ul>

</div>
<!-- EDIT3 SECTION "Presentation" [104-359] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">

<p>
The configuration is the same as the <a href="authldap.html" class="wikilink1" title="documentation:1.9:authldap">LDAP module</a>.
</p>

</div>
<!-- EDIT4 SECTION "Configuration" [360-451] -->
<h2 class="sectionedit5" id="ad_password_policy">AD password policy</h2>
<div class="level2">

<p>
AD password policy does not follow the LDAP <abbr title="Request for Comments">RFC</abbr>, but Microsoft has implemented its own policy.
LemonLDAP::NG implements partially the policy:
</p>
<ul>
<li class="level1"><div class="li"> when pwdLastSet = 0 in the user entry, it means that password has been reset, and a form is presented to the user for him to change his password.</div>
</li>
<li class="level1"><div class="li"> when computed virtual attribute &#039;msDS-User-Account-Control-Computed&#039; as 6th flag set to 8, the password is considered expired. (support from Windows Server 2003) It is too late for the user to do anything. He must contact his administrator.</div>
</li>
<li class="level1"><div class="li"> a warning before password expiration is possible in AD, but only in GPO (Computer Configuration\Windows Settings\Local Policies\Security Options under Interactive Logon: Prompt user to change password before expiration) However it as no reality in LDAP referential. A “password warning time before password expiration” variable can be specified in LemonLDAP::NG to do so.</div>
</li>
</ul>
<div class="noteimportant">Note: since AD 2012, each user can have a specific password expiration policy. Then, the “maximum password age” can have different values. This is currently unsupported in LemonLDAP::NG because every policy must be computed with their precedence to know which maximum password age to apply.
</div>
<p>
To configure warning before password expiration, you must set two variables in Active Directory parameters in Manager:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Password expire warning</strong> : number of seconds between password expiration and the date from which user is warned his password will expire.</div>
</li>
<li class="level1"><div class="li"> <strong>Password max age</strong> : number of seconds after the last password change, before it expires. It must match AD policy</div>
</li>
</ul>

</div>
<!-- EDIT5 SECTION "AD password policy" [452-] --></div>
</body>
</html>