Re: Expired password notification

[Pierangelo Masarati <ando@sys-net.it>]

Michael Ströder wrote:

>>> Another approach could be to inform users via e-mail.
>>
>> But what if users don't read emails until password expiration?
> 
> Damn! ;-)
> 
> Seriously: Discussing this to the end is beyond a short posting.

Seriously: I tried, for example, to bring up this discussion long ago
with Cyrus-SASL, in order to allow extra information exchange after a
successful authentication to allow clean and fruitful interaction,
without real success (partly for my fault, I admit).  The point is that
LDAP and its policy is just a bit of the big piece, too many clients
need to be able to exploit this extra information in order to inform the
user as cleanly and effectively as possible.  In this sense, I also
worked at allowing PHP (a widely used scripting language for web based
applications, including webmails) to directly support LDAP extended
operations (for password modify) and controls (for password policy) as I
already discussed many times, so that so many useful web-based
applications exploiting LDAP could make use of password policy.

So the issue raised by Andris is legitimate, and the forum is
appropriate, but the problem is not OpenLDAP (or other LDAPv3 DSA
implementations supporting password policies), but rather client design,
not specifically limited to support of the LDAP side of password policy
enforcement, but also to password policy information exploitation.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------