Buchan Milne wrote:
The biggest problem here is that not all software makes provision for "authentication" to respond with anything besides "yes" or "no".
Yupp.
I was trying to see if it would be feasible to add ppolicy support to mod_auth_ldap (for apache), or Squid's mod_auth_ldap, but what HTTP code should the authentication return (ideally one that would result in the user being sent to a page suitable for that code - e.g. to change their password) to apache? In the squid case, it looks initially like squid needs a patch support any password expiry at all (http://sarg.sourceforge.net/ncsaplus.php).
Bear in mind that in a single password environmemt proxy authentication (like with Squid) is somewhat a security risk anyway since the password is transferred in clear over the wire to the proxy for each HTTP hit going through the proxy.
I have also started discussions with some web application frameworks (e.g. Catalyst).
I'd rather recommend to use a decent WebSSO system and integrate web servers/applications with that central authentication component because when using centralized passwords you don't want to transmit the password to every integrated system. Rather in a SSO system system see only short-time tickets. I'm successfully using CAS for that in one customer project. It works pretty well and the developers are very responsive.
Maybe it would be worthwhile making a list of which applications could really do with password expiry support, and filing bugs on them for the missing pieces?
Not worth the effort for web access. Rather integrate with a WebSSO solution and handle the password policy stuff in a central place.
Ciao, Michael.