Michael Ströder wrote:
Another approach could be to inform users via e-mail.
But what if users don't read emails until password expiration?
Damn! ;-)
Seriously: Discussing this to the end is beyond a short posting.
Seriously: I tried, for example, to bring up this discussion long ago with Cyrus-SASL, in order to allow extra information exchange after a successful authentication to allow clean and fruitful interaction, without real success (partly for my fault, I admit). The point is that LDAP and its policy is just a bit of the big piece, too many clients need to be able to exploit this extra information in order to inform the user as cleanly and effectively as possible. In this sense, I also worked at allowing PHP (a widely used scripting language for web based applications, including webmails) to directly support LDAP extended operations (for password modify) and controls (for password policy) as I already discussed many times, so that so many useful web-based applications exploiting LDAP could make use of password policy.
So the issue raised by Andris is legitimate, and the forum is appropriate, but the problem is not OpenLDAP (or other LDAPv3 DSA implementations supporting password policies), but rather client design, not specifically limited to support of the LDAP side of password policy enforcement, but also to password policy information exploitation.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------