rpalmarin <rpalmarin@yahoo.com> wrote:
Sven Hartge <sven <at> svenhartge.de> writes:
Nikolaos Milas <nmilas <at> noa.gr> wrote:
On 1/4/2011 11:09 πμ, Sven Hartge wrote:
Have a look at the ppolicy slapd.overlay. This will solve your problem.
Sorry for the delay in the response I checked the ppolicy overlay but without success. This overlay does not have a single "password expired" attribute to put in the user_filter.
I think you misunderstood the usage of the overlay.
There is _no_ additional attribute to check. With ppolicy any authentication will fail if some previously defined conditions are met (or no longer met) like the max age of a password.
Documentation is contained in "man slapo-ppolicy", which as bit hard to understand, I must admit.
Also look at http://www.openldap.org/doc/admin24/overlays.html "12.10 Password Policies" has a nice example.
With this overlay you don't need any additional attributes and no maintenance or houskeeping script to invalidate expired passwords.
At my university we introduced our own attribute gifb-status which contains a "1" if an account is valid, a "0" if it is not (and several others for different purposes) and our ldap-filters all contain something like "(&(ou=foobar)(gifb-status=1))".
is possible that the only way to do this is to manage a new attribute? how can understand all the people that have configured the mail client to authenticate with imap-dovecot that their passoword has expired?
Well, either way (using ppolicy or an additional attribute): they will call the support desk, if they are unable to understand the message from their mail client. No way to fix _this_ problem, I am afraid ;)
S°
-- Sigmentation fault. Core dumped.