[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy



Buchan Milne wrote:
On Wednesday, 15 February 2012 12:24:59 Michael Ströder wrote:
Christian Bösch wrote:
i want to force a password change for a user. therefor i set pwdreset:
true but to change the password, bind attempts are still allowed.
i thinks thats the reason why a user with pwdreset=true still can login
to an apache webresource which is protected with ldap authentication. is
there a way to prohibit that?
i want the user to only allow the password change.

Strictly speaking: In case of pwdreset=TRUE the LDAP client has to 1.
request and process the ppolicy controls and 2. lead the user to the
password change dialogue. Most LDAP clients are not capable of doing so.

Well, I wouldn't necessarily say the problem is on the LDAP client side.

I didn't say this.

(AFAIK) Many protocols (e.g. HTTP, IMAP etc.) don't have the ability to
communicate to the client that the user's password needs to be changed.

That's what I basically said.

So if you simply want to avoid that such a user can login to such a service
you could either
1. configure a client side search filter
(&(uid=<user-id>)(!(pwdreset=TRUE))) or 2.

This would make sense for clients that can't communicate the need to change
the password to the user.

Yepp, but requires that you can define such a filter at the client-side.

define a server-side ACL which
disallows even authc access to userPassword for for those LDAP clients.

This doesn't make sense, as it would prevent good clients from doing the right
thing.

ACLs are powerful enough to distinguish various cases.

Ciao, Michael.