[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ppolicy by group
On Wednesday 25 June 2008 22:26:48 Jeroen van Aart wrote:
> (I originally posted this on openldap-software, posting it to technical,
> since it seems to allow this type of discussion)
>
> Gavin Henry wrote:
> > If you don't have a default ppolicy defined and no pwdPolicySubentry
> > then slapd will perform as it is currently configured.
>
> Thanks I got it more or less working. But only ssh seems to obey it so
> far (I set pam_lookup_policy to yes). I would like to know if anyone had
> success to make other frequently used software to obey the password
> policy. Such as imap, MTAs, webservers, especially if used through pam.
The biggest problem here is that not all software makes provision
for "authentication" to respond with anything besides "yes" or "no".
I was trying to see if it would be feasible to add ppolicy support to
mod_auth_ldap (for apache), or Squid's mod_auth_ldap, but what HTTP code
should the authentication return (ideally one that would result in the user
being sent to a page suitable for that code - e.g. to change their password)
to apache? In the squid case, it looks initially like squid needs a patch
support any password expiry at all
(http://sarg.sourceforge.net/ncsaplus.php).
It doesn't look as if Courier's authdaemon supports password expiry at all
yet.
I have also started discussions with some web application frameworks (e.g.
Catalyst).
Maybe it would be worthwhile making a list of which applications could really
do with password expiry support, and filing bugs on them for the missing
pieces?
At present, I have password expiry working with login, sudo, ssh (on servers
with password authentication enabled), and I need Catalyst and apache myself.
Now, if I could just change my passwords when prompted (ITS 5569) ...