[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy password warnings

On Tuesday, 6 October 2009 14:08:36 Gustavo Schroeder wrote:
> Hi,
> I'm planning to implement the ppolicy overlay in our repository and a
> major doubt came out.
> Suppose I got ppolicy overlay up and running and pwdMaxAge=10368000
> (120 days) and as I've been googling around pam_ldap has the ability
> to provide user warnings about password expiration.
> My question is, will the userland apps like Thunderbird, Horde IMP
> (via passwd module),

In many cases, other protocols (e.g. IMAP, HTTP) have lacked support for 
informing the user that, while they authenticated, their password will need to 
be changed in future. So, even if the IMAP server could be modified to support 
the password policy control, you would still need a protocol extension for the 
other protocols, and clients to support it.

IMAP recently got the "EXPIRED" response code 
(http://tools.ietf.org/html/rfc5530), but so far it seems only one IMAP server 
(dovecot - http://www.linux-magazine.com/Online/News/Dovecot-1.2-IMAP-Server-
with-New-Plugins/(kategorie)/0 ) supports it. I can't find any evidence of any 
clients supporting it. However, checking whether dovecot's LDAP support has 
ppolicy support that would result in an EXPIRED response would be your first 
stop. If not, I would file a bug on dovecot for the feature.

If you are using a different IMAP server, you should check if they support 
RFC5530, and if not, file bugs for this.

However, there seems to be no way for the user to change their password over 
IMAP, so you would need to ensure that they have some means of doing so (and 
are aware of it).

> Samba provide password warnings to the end user?

Samba has it's own password expiry attributes, and assuming your users log 
into the samba domain, they should be prompted to change their passwords.

However, currently there is no easy way to keep the password expiry attributes 
in sync if passwords are not changed exclusively with samba. Unfortunately 
ppolicy + smbk5pwd don't update all samba password expiry attributes (I should 
file an ITS ...).

> How will the user get warned when his/her password is about to expire?
> Is this something that the directory server will provide?

In an environment where people were not using protocols that supported 
notification of password expiry, I used a perl script in a daily cron job to 
send the user an email warning them that their password would expire.

It really at some stage needs a config file (but, that would require 
interpolating variables into messages which should be configurable), but I have 
attached a version. If you are going to use it, search for 'mydomain' and 
change as appropriate.

(One change I should probably make is to inform the user after their password 
has expired, that it has, and that no more warnings will be sent)

I also attached a perl CGI (ldap-password.pl) supporting ppolicy password 
checking/changing (which was running on the URLS in the mail). E.g., in my 
case I needed to provide a means for users to change their password when their 
VPN access no longer worked due to their password expiring, and the VPN/RADIUS 
server could not warn them in advance ...

If people find these useful I can spend the time to clean them up to use 
configuration files instead, and one or two other issues.


Attachment: find-ldap-expired-public.pl
Description: Perl program

Attachment: ldap-password.pl
Description: Perl program