On Tuesday, 6 October 2009 14:08:36 Gustavo Schroeder wrote:

Hi,

I'm planning to implement the ppolicy overlay in our repository and a major doubt came out. Suppose I got ppolicy overlay up and running and pwdMaxAge=10368000 (120 days) and as I've been googling around pam_ldap has the ability to provide user warnings about password expiration. My question is, will the userland apps like Thunderbird, Horde IMP (via passwd module),

In many cases, other protocols (e.g. IMAP, HTTP) have lacked support for informing the user that, while they authenticated, their password will need to be changed in future. So, even if the IMAP server could be modified to support the password policy control, you would still need a protocol extension for the other protocols, and clients to support it.

IMAP recently got the "EXPIRED" response code (http://tools.ietf.org/html/rfc5530), but so far it seems only one IMAP server (dovecot - http://www.linux-magazine.com/Online/News/Dovecot-1.2-IMAP-Server- with-New-Plugins/(kategorie)/0 ) supports it. I can't find any evidence of any clients supporting it. However, checking whether dovecot's LDAP support has ppolicy support that would result in an EXPIRED response would be your first stop. If not, I would file a bug on dovecot for the feature.

If you are using a different IMAP server, you should check if they support RFC5530, and if not, file bugs for this.

However, there seems to be no way for the user to change their password over IMAP, so you would need to ensure that they have some means of doing so (and are aware of it).

Samba provide password warnings to the end user?

Samba has it's own password expiry attributes, and assuming your users log into the samba domain, they should be prompted to change their passwords.

However, currently there is no easy way to keep the password expiry attributes in sync if passwords are not changed exclusively with samba. Unfortunately ppolicy + smbk5pwd don't update all samba password expiry attributes (I should file an ITS ...).

How will the user get warned when his/her password is about to expire? Is this something that the directory server will provide?

In an environment where people were not using protocols that supported notification of password expiry, I used a perl script in a daily cron job to send the user an email warning them that their password would expire.

It really at some stage needs a config file (but, that would require interpolating variables into messages which should be configurable), but I have attached a version. If you are going to use it, search for 'mydomain' and change as appropriate.

(One change I should probably make is to inform the user after their password has expired, that it has, and that no more warnings will be sent)

I also attached a perl CGI (ldap-password.pl) supporting ppolicy password checking/changing (which was running on the URLS in the mail). E.g., in my case I needed to provide a means for users to change their password when their VPN access no longer worked due to their password expiring, and the VPN/RADIUS server could not warn them in advance ...

If people find these useful I can spend the time to clean them up to use configuration files instead, and one or two other issues.

Regards, Buchan