[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ppolicy by group
Buchan Milne wrote:
The biggest problem here is that not all software makes provision
for "authentication" to respond with anything besides "yes" or "no".
Yupp.
I was trying to see if it would be feasible to add ppolicy support to
mod_auth_ldap (for apache), or Squid's mod_auth_ldap, but what HTTP code
should the authentication return (ideally one that would result in the user
being sent to a page suitable for that code - e.g. to change their password)
to apache? In the squid case, it looks initially like squid needs a patch
support any password expiry at all
(http://sarg.sourceforge.net/ncsaplus.php).
Bear in mind that in a single password environmemt proxy authentication
(like with Squid) is somewhat a security risk anyway since the password
is transferred in clear over the wire to the proxy for each HTTP hit
going through the proxy.
I have also started discussions with some web application frameworks (e.g.
Catalyst).
I'd rather recommend to use a decent WebSSO system and integrate web
servers/applications with that central authentication component because
when using centralized passwords you don't want to transmit the password
to every integrated system. Rather in a SSO system system see only
short-time tickets. I'm successfully using CAS for that in one customer
project. It works pretty well and the developers are very responsive.
Maybe it would be worthwhile making a list of which applications could really
do with password expiry support, and filing bugs on them for the missing
pieces?
Not worth the effort for web access. Rather integrate with a WebSSO
solution and handle the password policy stuff in a central place.
Ciao, Michael.