On 12/2/21 09:34, Ulrich Windl wrote:

I have a question: When using ppolicy, is tthere a simple way for a user to detect that he/she is "on grace logins", i.e. the poassword has to be changed soon?

The LDAP client has to send the appropriate request control and handle the response control values correctly.

Most LDAP clients do not support this.

We had a situation where some monitoring tools uses periodic logins to sume user account. When that user should have changed the password, the periodic logins consumed all the grace logins, and the user was effectively locked out.

For various reasons grace logins are IMO a miserable concept and the situation you've described is just one of the symptoms that it's seriously broken.

Grace logins might work in a world of workstation logins (tightly controlled end-points). But it does not work for LDAP-based logins where you have arbitrary systems accessed via arbitrary clients.

While there are many ways to resolve this, I wonder whether it would be rather easy to avoid any further login attempts when the user is expected to change the password.

1. Set grace logins to zero.

2. Instead implement decent mechanism to warn the user that his/her password expires soon, e.g. by sending e-mail or other messages.

3. If the user misses warning (2.) then have a sufficiently secure password reset procedure in place (which you need anyway).

Ciao, Michael.