[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy by group

On Thursday 26 June 2008 17:39:27 Michael Ströder wrote:
> Buchan Milne wrote:
> > On Thursday 26 June 2008 13:52:05 Michael Ströder wrote:
> >> Let's look at a very simply case: How should a web server which
> >> implements HTTP basic authc implement the user interaction needed? It
> >> simply relies on the browser popping up the login window, nothing else.
> >> What you could do is redirect the user to an error page implemented as
> >> CGI-BIN which makes further checks. You can do that yourself.
> >
> > But, ideally I would like to send the user to the right page (not a
> > generic "authorization failed"), in which case I need a different error
> > code to send them to a suitable error page (which might have a form for
> > them to change their password etc.).
> You could redirect them always to the not-autorized-URL and the CGI-BIN
> handler behind that retrys the LDAP bind together with ppolicy control
> reacting according to the ppolicy control values in the bind response.

That is what I will implement for now, but if the user's password has already 
expired, you use an additional grace login. If your site's policy is to allow 
3 grace logins, most likely the page should then also provide the user with a 
means to have their password reset ...

> Just a rough idea though...not sure how to reliably pass the
> username/password to the not-autorized-URL. Let's think about it...

I would pass only the username through to a form telling the user that 
authentication failed, notifying them that they can test the password and if 
necessary be prompted to change it, if they enter the password again.