Re: ppolicy by group

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Thursday 26 June 2008 17:39:27 Michael Ströder wrote:
> Buchan Milne wrote:
> > On Thursday 26 June 2008 13:52:05 Michael Ströder wrote:
> >> Let's look at a very simply case: How should a web server which
> >> implements HTTP basic authc implement the user interaction needed? It
> >> simply relies on the browser popping up the login window, nothing else.
> >> What you could do is redirect the user to an error page implemented as
> >> CGI-BIN which makes further checks. You can do that yourself.
> >
> > But, ideally I would like to send the user to the right page (not a
> > generic "authorization failed"), in which case I need a different error
> > code to send them to a suitable error page (which might have a form for
> > them to change their password etc.).
>
> You could redirect them always to the not-autorized-URL and the CGI-BIN
> handler behind that retrys the LDAP bind together with ppolicy control
> reacting according to the ppolicy control values in the bind response.

That is what I will implement for now, but if the user's password has already 
expired, you use an additional grace login. If your site's policy is to allow 
3 grace logins, most likely the page should then also provide the user with a 
means to have their password reset ...

> Just a rough idea though...not sure how to reliably pass the
> username/password to the not-autorized-URL. Let's think about it...

I would pass only the username through to a form telling the user that 
authentication failed, notifying them that they can test the password and if 
necessary be prompted to change it, if they enter the password again.

Regards,
Buchan