On Tuesday, 6 October 2009 14:08:36 Gustavo Schroeder wrote:
I'm planning to implement the ppolicy overlay in our repository and a
major doubt came out.
Suppose I got ppolicy overlay up and running and pwdMaxAge=10368000
(120 days) and as I've been googling around pam_ldap has the ability
to provide user warnings about password expiration.
My question is, will the userland apps like Thunderbird, Horde IMP
(via passwd module),
In many cases, other protocols (e.g. IMAP, HTTP) have lacked support for
informing the user that, while they authenticated, their password will need to
be changed in future. So, even if the IMAP server could be modified to support
the password policy control, you would still need a protocol extension for the
other protocols, and clients to support it.
IMAP recently got the "EXPIRED" response code
), but so far it seems only one IMAP server
(dovecot - http://www.linux-magazine.com/Online/News/Dovecot-1.2-IMAP-Server-
with-New-Plugins/(kategorie)/0 ) supports it. I can't find any evidence of any
clients supporting it. However, checking whether dovecot's LDAP support has
ppolicy support that would result in an EXPIRED response would be your first
stop. If not, I would file a bug on dovecot for the feature.
If you are using a different IMAP server, you should check if they support
RFC5530, and if not, file bugs for this.
However, there seems to be no way for the user to change their password over
IMAP, so you would need to ensure that they have some means of doing so (and
are aware of it).
Samba provide password warnings to the end user?
Samba has it's own password expiry attributes, and assuming your users log
into the samba domain, they should be prompted to change their passwords.
However, currently there is no easy way to keep the password expiry attributes
in sync if passwords are not changed exclusively with samba. Unfortunately
ppolicy + smbk5pwd don't update all samba password expiry attributes (I should
file an ITS ...).
How will the user get warned when his/her password is about to
Is this something that the directory server will provide?
In an environment where people were not using protocols that supported
notification of password expiry, I used a perl script in a daily cron job to
send the user an email warning them that their password would expire.
It really at some stage needs a config file (but, that would require
interpolating variables into messages which should be configurable), but I have
attached a version. If you are going to use it, search for 'mydomain' and
change as appropriate.
(One change I should probably make is to inform the user after their password
has expired, that it has, and that no more warnings will be sent)
I also attached a perl CGI (ldap-password.pl) supporting ppolicy password
checking/changing (which was running on the URLS in the mail). E.g., in my
case I needed to provide a means for users to change their password when their
VPN access no longer worked due to their password expiring, and the VPN/RADIUS
server could not warn them in advance ...
If people find these useful I can spend the time to clean them up to use
configuration files instead, and one or two other issues.