From 97ecc1507476f1b84525b722989c494fb080bb05 Mon Sep 17 00:00:00 2001 From: root Date: Mon, 5 Sep 2016 16:55:04 +0800 Subject: [PATCH 1/2] doc for password policy --- .../configuration_user/user_auth_ldap.rst | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/admin_manual/configuration_user/user_auth_ldap.rst b/admin_manual/configuration_user/user_auth_ldap.rst index bda8f8df751..ba4a64c4e98 100644 --- a/admin_manual/configuration_user/user_auth_ldap.rst +++ b/admin_manual/configuration_user/user_auth_ldap.rst @@ -392,10 +392,25 @@ Enable LDAP password changes per user: * Additional requirements for Active Directory: - | - At least a 128-bit transport encryption must be used for the communication between Nextcloud and the LDAP server + | - At least a 128-bit transport encryption must be used for the communication between Nextcloud and the LDAP server. | | - Make sure that the ``fUserPwdSupport`` char of the dSHeuristics is configured to employ the ``userPassword`` attribute as ``unicodePwd`` alias. While this is set accordingly on AD LDS by default, this is not the case on AD DS. +Default password policy DN: + The DN of a default password policy that will be used for password expiry handling in the absence of any user specific password policy. Password expiry handling features the following: + + * When a LDAP password is about to expire, display a warning message to the user showing the number of days left before it expires. Password expiry warnings are displayed through the notifications app for Nextcloud. + + * Prompt LDAP users with expired passwords to reset their password during login, provided that an adequate number of grace logins is still available. + + Leave the setting empty to keep password expiry handling disabled. + + For the password expiry handling feature to work, LDAP password changes per user must be enabled and the LDAP server must be running OpenLDAP with its ppolicy module configured accordingly. + + * Example: + + | *cn=default,ou=policies,dc=my-company,dc=com* + Special Attributes ^^^^^^^^^^^^^^^^^^ From 442a01ffc390a2bc6ededd6c18aa2a88e15570fe Mon Sep 17 00:00:00 2001 From: Roger Szabo Date: Tue, 25 Apr 2017 18:29:47 +0800 Subject: [PATCH 2/2] comment by blizzz 20170425 Signed-off-by: Roger Szabo --- admin_manual/configuration_user/user_auth_ldap.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/admin_manual/configuration_user/user_auth_ldap.rst b/admin_manual/configuration_user/user_auth_ldap.rst index 6a56fecaab6..5f77bc22458 100644 --- a/admin_manual/configuration_user/user_auth_ldap.rst +++ b/admin_manual/configuration_user/user_auth_ldap.rst @@ -393,7 +393,7 @@ Enable LDAP password changes per user: * Make sure that the ``fUserPwdSupport`` char of the dSHeuristics is configured to employ the ``userPassword`` attribute as ``unicodePwd`` alias. While this is set accordingly on AD LDS by default, this is not the case on AD DS. Default password policy DN: - The DN of a default password policy that will be used for password expiry handling in the absence of any user specific password policy. Password expiry handling features the following: + This feature requires OpenLDAP with ppolicy. The DN of a default password policy will be used for password expiry handling in the absence of any user specific password policy. Password expiry handling features the following: * When a LDAP password is about to expire, display a warning message to the user showing the number of days left before it expires. Password expiry warnings are displayed through the notifications app for Nextcloud.