[Date Prev][Date Next]
Re: Expired password notification
Andris Eiduks wrote:
> We use OpenLDAP for user's authentication.
> And now also implemented password policy.
> Authentication from Tomcat works without problem but customers find out
> about expired passwords only after unsuccessful binding when all limits are
> ldapsearch with option "-e ppolicy" shows info about necessary password
> Is possible to get the same info by BIND operation performing from other
> systems side again OpenLDAP?
> Or we must create special functions in application for user attributes
> checking (pwdChangedTime, pwdGraceUseTime) and notification generation ?
You need to make that client use the ppolicy control in order to
retrieve the desired information, and that client must be able to show
that information to the user. Usually, clients unaware of ppolicy do
not expect binds to return any information other than success or
failure. A ppolicy-unaware client could be returned the relevant
ppolicy information in textual form in the LDAP response message, but
usually the client will ignore it, or it won't have any means to present
it to the user; for example, think of an interactive mail user agent: if
bind is successful, usually they just show mail messages; in case of
password expiration, they should rather pop up a box with that
information and the "OK" button; a very clever one would also present a
"Change your password now" button. This is not something you can
delegate to the LDAP side of the client, so adding support for ppolicy
to a LDAP-aware client is the least. To add further complexity, if the
client (wisely) delegates authentication to some external means, like
SASL, which in turn happens to use LDAP via ldapdb, there would be no
means to let ppolicy response slip thru the SASL layer to the popup,
because SASL as well only expects either success or failure.
Ing. Pierangelo Masarati
OpenLDAP Core Team
via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39 02 23998309
Mobile: +39 333 4963172