On Thursday 26 June 2008 17:39:27 Michael Ströder wrote:
Buchan Milne wrote:
On Thursday 26 June 2008 13:52:05 Michael Ströder wrote:
Let's look at a very simply case: How should a web server which implements HTTP basic authc implement the user interaction needed? It simply relies on the browser popping up the login window, nothing else. What you could do is redirect the user to an error page implemented as CGI-BIN which makes further checks. You can do that yourself.
But, ideally I would like to send the user to the right page (not a generic "authorization failed"), in which case I need a different error code to send them to a suitable error page (which might have a form for them to change their password etc.).
You could redirect them always to the not-autorized-URL and the CGI-BIN handler behind that retrys the LDAP bind together with ppolicy control reacting according to the ppolicy control values in the bind response.
That is what I will implement for now, but if the user's password has already expired, you use an additional grace login. If your site's policy is to allow 3 grace logins, most likely the page should then also provide the user with a means to have their password reset ...
Just a rough idea though...not sure how to reliably pass the username/password to the not-autorized-URL. Let's think about it...
I would pass only the username through to a form telling the user that authentication failed, notifying them that they can test the password and if necessary be prompted to change it, if they enter the password again.
Regards, Buchan