Andris Eiduks wrote:
Hi!
We use OpenLDAP for user's authentication. And now also implemented password policy.
Authentication from Tomcat works without problem but customers find out about expired passwords only after unsuccessful binding when all limits are exceeded.
ldapsearch with option "-e ppolicy" shows info about necessary password change.
Is possible to get the same info by BIND operation performing from other systems side again OpenLDAP? Or we must create special functions in application for user attributes checking (pwdChangedTime, pwdGraceUseTime) and notification generation ?
You need to make that client use the ppolicy control in order to retrieve the desired information, and that client must be able to show that information to the user. Usually, clients unaware of ppolicy do not expect binds to return any information other than success or failure. A ppolicy-unaware client could be returned the relevant ppolicy information in textual form in the LDAP response message, but usually the client will ignore it, or it won't have any means to present it to the user; for example, think of an interactive mail user agent: if bind is successful, usually they just show mail messages; in case of password expiration, they should rather pop up a box with that information and the "OK" button; a very clever one would also present a "Change your password now" button. This is not something you can delegate to the LDAP side of the client, so adding support for ppolicy to a LDAP-aware client is the least. To add further complexity, if the client (wisely) delegates authentication to some external means, like SASL, which in turn happens to use LDAP via ldapdb, there would be no means to let ppolicy response slip thru the SASL layer to the popup, because SASL as well only expects either success or failure.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------