Re: ppolicy by group

[Michael Ströder <michael@stroeder.com>]

Buchan Milne wrote:
> The biggest problem here is that not all software makes provision 
> for "authentication" to respond with anything besides "yes" or "no".

Yupp.

> I was trying to see if it would be feasible to add ppolicy support to 
> mod_auth_ldap (for apache), or Squid's mod_auth_ldap, but what HTTP code 
> should the authentication return (ideally one that would result in the user 
> being sent to a page suitable for that code - e.g. to change their password) 
> to apache? In the squid case, it looks initially like squid needs a patch 
> support any password expiry at all 
> (http://sarg.sourceforge.net/ncsaplus.php).

Bear in mind that in a single password environmemt proxy authentication 
(like with Squid) is somewhat a security risk anyway since the password 
is transferred in clear over the wire to the proxy for each HTTP hit 
going through the proxy.

> I have also started discussions with some web application frameworks (e.g. 
> Catalyst).

I'd rather recommend to use a decent WebSSO system and integrate web 
servers/applications with that central authentication component because 
when using centralized passwords you don't want to transmit the password 
to every integrated system. Rather in a SSO system system see only 
short-time tickets. I'm successfully using CAS for that in one customer 
project. It works pretty well and the developers are very responsive.

> Maybe it would be worthwhile making a list of which applications could really 
> do with password expiry support, and filing bugs on them for the missing 
> pieces?

Not worth the effort for web access. Rather integrate with a WebSSO 
solution and handle the password policy stuff in a central place.

Ciao, Michael.