[Dovecot] LDAP expired password

Sven Hartge sven at svenhartge.de
Fri Apr 1 14:46:36 EEST 2011


Nikolaos Milas <nmilas at noa.gr> wrote:
> On 1/4/2011 11:09 πμ, Sven Hartge wrote:

>> Have a look at the ppolicy slapd.overlay. This will solve your
>> problem.

> I just wanted to mention that there are significant integration issues
> of openldap ppolicy overlay in other software.

Right. You need to be careful integrating this overlay.

> In many cases, a separate or a supplemental (to ppolicy) password
> management process should be established, like:
> http://tools.ltb-project.org/news/14 (which I haven't used myself).
> This could be expanded and/or tied to a cron-job that would send
> warnings to users etc. based on ldapsearch results.

At my university we introduced our own attribute gifb-status which
contains a "1" if an account is valid, a "0" if it is not (and several
others for different purposes) and our ldap-filters all contain
something like "(&(ou=foobar)(gifb-status=1))".

The status is changed by a nightly cron-job, which checks if the account
is still valid or if it has to be deactived.

This extra attribute of course only works if you are able to change the
filter a programm uses. If not, you have to implement different
procedures, like moving the password hash out of userPassword to cause
the login to fail.

Grüße,
Sven.

-- 
Sig lost. Core dumped.



More information about the dovecot mailing list