[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy by group



On Wednesday 25 June 2008 22:26:48 Jeroen van Aart wrote:
> (I originally posted this on openldap-software, posting it to technical,
> since it seems to allow this type of discussion)
>
> Gavin Henry wrote:
> > If you don't have a default ppolicy defined and no pwdPolicySubentry
> > then slapd will perform as it is currently configured.
>
> Thanks I got it more or less working. But only ssh seems to obey it so
> far (I set pam_lookup_policy to yes). I would like to know if anyone had
> success to make other frequently used software to obey the password
> policy. Such as imap, MTAs, webservers, especially if used through pam.

The biggest problem here is that not all software makes provision 
for "authentication" to respond with anything besides "yes" or "no".

I was trying to see if it would be feasible to add ppolicy support to 
mod_auth_ldap (for apache), or Squid's mod_auth_ldap, but what HTTP code 
should the authentication return (ideally one that would result in the user 
being sent to a page suitable for that code - e.g. to change their password) 
to apache? In the squid case, it looks initially like squid needs a patch 
support any password expiry at all 
(http://sarg.sourceforge.net/ncsaplus.php).

It doesn't look as if Courier's authdaemon supports password expiry at all 
yet.

I have also started discussions with some web application frameworks (e.g. 
Catalyst).


Maybe it would be worthwhile making a list of which applications could really 
do with password expiry support, and filing bugs on them for the missing 
pieces?

At present, I have password expiry working with login, sudo, ssh (on servers 
with password authentication enabled), and I need Catalyst and apache myself.

Now, if I could just change my passwords when prompted (ITS 5569) ...