On Wednesday 25 June 2008 22:26:48 Jeroen van Aart wrote:
(I originally posted this on openldap-software, posting it to technical, since it seems to allow this type of discussion)
Gavin Henry wrote:
If you don't have a default ppolicy defined and no pwdPolicySubentry then slapd will perform as it is currently configured.
Thanks I got it more or less working. But only ssh seems to obey it so far (I set pam_lookup_policy to yes). I would like to know if anyone had success to make other frequently used software to obey the password policy. Such as imap, MTAs, webservers, especially if used through pam.
The biggest problem here is that not all software makes provision for "authentication" to respond with anything besides "yes" or "no".
I was trying to see if it would be feasible to add ppolicy support to mod_auth_ldap (for apache), or Squid's mod_auth_ldap, but what HTTP code should the authentication return (ideally one that would result in the user being sent to a page suitable for that code - e.g. to change their password) to apache? In the squid case, it looks initially like squid needs a patch support any password expiry at all (http://sarg.sourceforge.net/ncsaplus.php).
It doesn't look as if Courier's authdaemon supports password expiry at all yet.
I have also started discussions with some web application frameworks (e.g. Catalyst).
Maybe it would be worthwhile making a list of which applications could really do with password expiry support, and filing bugs on them for the missing pieces?
At present, I have password expiry working with login, sudo, ssh (on servers with password authentication enabled), and I need Catalyst and apache myself.
Now, if I could just change my passwords when prompted (ITS 5569) ...