Hi!
We use OpenLDAP for user's authentication. And now also implemented password policy.
Authentication from Tomcat works without problem but customers find out about expired passwords only after unsuccessful binding when all limits are exceeded.
ldapsearch with option "-e ppolicy" shows info about necessary password change.
Is possible to get the same info by BIND operation performing from other systems side again OpenLDAP? Or we must create special functions in application for user attributes checking (pwdChangedTime, pwdGraceUseTime) and notification generation ?
Thanks in advance,
Andris Eiduks wrote:
ldapsearch with option "-e ppolicy" shows info about necessary password change.
Is possible to get the same info by BIND operation performing from other systems side again OpenLDAP? Or we must create special functions in application for user attributes checking (pwdChangedTime, pwdGraceUseTime) and notification generation ?
The client applications have to support this as well by using the password policy extended control with the bind request. Basically that's what ldapsearch is doing when you use it with "-e ppolicy".
See also doc/drafts/draft-behera-ldap-password-policy-xx.txt in OpenLDAP's source distribution.
Another approach could be to inform users via e-mail.
Ciao, Michael.
Michael Ströder wrote:
Andris Eiduks wrote:
ldapsearch with option "-e ppolicy" shows info about necessary password change.
Is possible to get the same info by BIND operation performing from other systems side again OpenLDAP? Or we must create special functions in application for user attributes checking (pwdChangedTime, pwdGraceUseTime) and notification generation ?
The client applications have to support this as well by using the password policy extended control with the bind request. Basically that's what ldapsearch is doing when you use it with "-e ppolicy".
See also doc/drafts/draft-behera-ldap-password-policy-xx.txt in OpenLDAP's source distribution.
Another approach could be to inform users via e-mail.
But what if users don't read emails until password expiration?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati skrev, on 16-01-2008 15:18:
[...]
Another approach could be to inform users via e-mail.
But what if users don't read emails until password expiration?
Hehe ... at my Amsterdam high school (supposedly populated by way-above-average IQ kids and teachers) site I run OL ppolicy. Passwords en masse are coming up for renewal in February.
I have about 100 Dutch/immigrant kids out of about 800 who never read their mail and nothing on earth will ever make them. I have around 80 teachers and 30 staff who can be forced to read their mail. I have a super system whereby everyone can send a VERP mail to himself and get back 6 password suggestions that pass the stringency test (very strict). But what's the good if they don't ever read their mail, their mail quotas are exceeded or whatever?
At the moment the Linux/Samba login screens tell them to contact "their administrator". Supposing we're all 3 of us administrators sick or dead or something?
I had thought about writing a shell (Perl's not necessary, I already do half of this in shell) script that looks at whether they've read their mail or not for the last week or so and if they haven't, refuse them any further authentication. But I haven't got that far yet.
--Tonni
Pierangelo Masarati wrote:
Michael Ströder wrote:
Andris Eiduks wrote:
ldapsearch with option "-e ppolicy" shows info about necessary password change.
Is possible to get the same info by BIND operation performing from other systems side again OpenLDAP? Or we must create special functions in application for user attributes checking (pwdChangedTime, pwdGraceUseTime) and notification generation ?
The client applications have to support this as well by using the password policy extended control with the bind request. Basically that's what ldapsearch is doing when you use it with "-e ppolicy".
See also doc/drafts/draft-behera-ldap-password-policy-xx.txt in OpenLDAP's source distribution.
Another approach could be to inform users via e-mail.
But what if users don't read emails until password expiration?
Damn! ;-)
Seriously: Discussing this to the end is beyond a short posting.
Ciao, Michael.
Michael Ströder wrote:
Another approach could be to inform users via e-mail.
But what if users don't read emails until password expiration?
Damn! ;-)
Seriously: Discussing this to the end is beyond a short posting.
Seriously: I tried, for example, to bring up this discussion long ago with Cyrus-SASL, in order to allow extra information exchange after a successful authentication to allow clean and fruitful interaction, without real success (partly for my fault, I admit). The point is that LDAP and its policy is just a bit of the big piece, too many clients need to be able to exploit this extra information in order to inform the user as cleanly and effectively as possible. In this sense, I also worked at allowing PHP (a widely used scripting language for web based applications, including webmails) to directly support LDAP extended operations (for password modify) and controls (for password policy) as I already discussed many times, so that so many useful web-based applications exploiting LDAP could make use of password policy.
So the issue raised by Andris is legitimate, and the forum is appropriate, but the problem is not OpenLDAP (or other LDAPv3 DSA implementations supporting password policies), but rather client design, not specifically limited to support of the LDAP side of password policy enforcement, but also to password policy information exploitation.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Andris Eiduks wrote:
Hi!
We use OpenLDAP for user's authentication. And now also implemented password policy.
Authentication from Tomcat works without problem but customers find out about expired passwords only after unsuccessful binding when all limits are exceeded.
ldapsearch with option "-e ppolicy" shows info about necessary password change.
Is possible to get the same info by BIND operation performing from other systems side again OpenLDAP? Or we must create special functions in application for user attributes checking (pwdChangedTime, pwdGraceUseTime) and notification generation ?
You need to make that client use the ppolicy control in order to retrieve the desired information, and that client must be able to show that information to the user. Usually, clients unaware of ppolicy do not expect binds to return any information other than success or failure. A ppolicy-unaware client could be returned the relevant ppolicy information in textual form in the LDAP response message, but usually the client will ignore it, or it won't have any means to present it to the user; for example, think of an interactive mail user agent: if bind is successful, usually they just show mail messages; in case of password expiration, they should rather pop up a box with that information and the "OK" button; a very clever one would also present a "Change your password now" button. This is not something you can delegate to the LDAP side of the client, so adding support for ppolicy to a LDAP-aware client is the least. To add further complexity, if the client (wisely) delegates authentication to some external means, like SASL, which in turn happens to use LDAP via ldapdb, there would be no means to let ppolicy response slip thru the SASL layer to the popup, because SASL as well only expects either success or failure.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-technical@openldap.org
-
Andris Eiduks -
Michael Ströder -
Pierangelo Masarati -
Tony Earnshaw