[Date Prev][Date Next]
Re: ppolicy by group
On Thursday 26 June 2008 17:39:27 Michael Ströder wrote:
> Buchan Milne wrote:
> > On Thursday 26 June 2008 13:52:05 Michael Ströder wrote:
> >> Let's look at a very simply case: How should a web server which
> >> implements HTTP basic authc implement the user interaction needed? It
> >> simply relies on the browser popping up the login window, nothing else.
> >> What you could do is redirect the user to an error page implemented as
> >> CGI-BIN which makes further checks. You can do that yourself.
> > But, ideally I would like to send the user to the right page (not a
> > generic "authorization failed"), in which case I need a different error
> > code to send them to a suitable error page (which might have a form for
> > them to change their password etc.).
> You could redirect them always to the not-autorized-URL and the CGI-BIN
> handler behind that retrys the LDAP bind together with ppolicy control
> reacting according to the ppolicy control values in the bind response.
That is what I will implement for now, but if the user's password has already
expired, you use an additional grace login. If your site's policy is to allow
3 grace logins, most likely the page should then also provide the user with a
means to have their password reset ...
> Just a rough idea though...not sure how to reliably pass the
> username/password to the not-autorized-URL. Let's think about it...
I would pass only the username through to a form telling the user that
authentication failed, notifying them that they can test the password and if
necessary be prompted to change it, if they enter the password again.