On 12/2/21 09:34, Ulrich Windl wrote:
I have a question: When using ppolicy, is tthere a simple way for a
user to detect that he/she is "on grace logins", i.e. the poassword
has to be changed soon?
The LDAP client has to send the appropriate request control
and handle
the response control values correctly.
Most LDAP clients do not support this.
We had a situation where some monitoring tools uses periodic logins
to sume user account. When that user should have changed the
password, the periodic logins consumed all the grace logins, and the
user was effectively locked out.
For various reasons grace logins are IMO a
miserable concept and the
situation you've described is just one of the symptoms that it's
seriously broken.
Grace logins might work in a world of workstation logins (tightly
controlled end-points). But it does not work for LDAP-based logins where
you have arbitrary systems accessed via arbitrary clients.
While there are many ways to resolve this, I wonder whether it would
be rather easy to avoid any further login attempts when the user is
expected to change the password.
1. Set grace logins to zero.
2. Instead implement decent mechanism to warn the user that his/her
password expires soon, e.g. by sending e-mail or other messages.
3. If the user misses warning (2.) then have a sufficiently secure
password reset procedure in place (which you need anyway).
Ciao, Michael.