[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password policy

To: Christian Bösch <boesch@fhv.at>
Subject: Re: password policy
From: Michael Ströder <michael@stroeder.com>
Date: Wed, 15 Feb 2012 11:24:59 +0100
Cc: openldap-technical@openldap.org
In-reply-to: <23A67523-3340-47C9-948C-8A3BADC55367@fhv.at>
References: <23A67523-3340-47C9-948C-8A3BADC55367@fhv.at>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120129 Firefox/10.0 SeaMonkey/2.7

Christian Bösch wrote:

i want to force a password change for a user. therefor i set pwdreset: true
but to change the password, bind attempts are still allowed.
i thinks thats the reason why a user with pwdreset=true still can login to
an apache webresource which is protected with ldap authentication.
is there a way to prohibit that?
i want the user to only allow the password change.

Strictly speaking: In case of pwdreset=TRUE the LDAP client has to 1. requestand process the ppolicy controls and 2. lead the user to the password changedialogue. Most LDAP clients are not capable of doing so.

So if you simply want to avoid that such a user can login to such a serviceyou could either

1. configure a client side search filter (&(uid=<user-id>)(!(pwdreset=TRUE))) or

2. define a server-side ACL which disallows even authc access to userPasswordfor for those LDAP clients.


Ciao, Michael.

Follow-Ups:
- Re: password policy
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- password policy
  - From: Christian Bösch <boesch@fhv.at>

Prev by Date: Re: Error - not compiled with SASL support
Next by Date: Re: Error - not compiled with SASL support
Index(es):
- Chronological
- Thread