password expire warning for dovecot users in IMAP/POP login
Dear list,
Is it possible to give a notification about password exprire warning to users authenticated by OpenLDAP when the users login via dovecot using IMAP or POP? For example, when you ssh to a server and/or run ldapsearch, you can be warned with password expire warning like below:
# ssh testuser@localhost testuser@localhost's password: Your password will expire in 31 minute(s). <== Last login: Wed Jun 8 12:22:08 2016 from localhost.localdomain
]$ ldapsearch -LLL -D uid=testuser,ou=People,dc=example,dc=com -w redhat "cn=testuser" -e ppolicy ldap_bind: Success (0) (Password expires in 1808 seconds) <== dn: uid=testuser,ou=People,dc=example,dc=com
Does the same can be done for dovecot users authenticated by OpenLDAP in IMAP/POP?
Thanks,
-- Masaharu Kawada
On 08.06.2016 09:37, mkawada@redhat.com wrote:
Dear list,
Is it possible to give a notification about password exprire warning to users authenticated by OpenLDAP when the users login via dovecot using IMAP or POP? For example, when you ssh to a server and/or run ldapsearch, you can be warned with password expire warning like below:
# ssh testuser@localhost testuser@localhost's password: Your password will expire in 31 minute(s). <== Last login: Wed Jun 8 12:22:08 2016 from localhost.localdomain
]$ ldapsearch -LLL -D uid=testuser,ou=People,dc=example,dc=com -w redhat "cn=testuser" -e ppolicy ldap_bind: Success (0) (Password expires in 1808 seconds) <== dn: uid=testuser,ou=People,dc=example,dc=com
Does the same can be done for dovecot users authenticated by OpenLDAP in IMAP/POP?
Thanks,
How would this warning get shown to people?
Aki
Aki-san,
Thanks for your feedback.
Whatever ways will do. For instance, in a thunderbird mail client, a pop-up message or notification email telling client that the password will be expired in XX days, something like this, would be nice.
Thanks, Masaharu Kawada
On 2016年06月08日 15:49, Aki Tuomi wrote:
On 08.06.2016 09:37, mkawada@redhat.com wrote:
Dear list,
Is it possible to give a notification about password exprire warning to users authenticated by OpenLDAP when the users login via dovecot using IMAP or POP? For example, when you ssh to a server and/or run ldapsearch, you can be warned with password expire warning like below:
# ssh testuser@localhost testuser@localhost's password: Your password will expire in 31 minute(s). <== Last login: Wed Jun 8 12:22:08 2016 from localhost.localdomain
]$ ldapsearch -LLL -D uid=testuser,ou=People,dc=example,dc=com -w redhat "cn=testuser" -e ppolicy ldap_bind: Success (0) (Password expires in 1808 seconds) <== dn: uid=testuser,ou=People,dc=example,dc=com
Does the same can be done for dovecot users authenticated by OpenLDAP in IMAP/POP?
Thanks,
How would this warning get shown to people?
Aki
-- Masaharu Kawada
On 06/08/2016 10:05 AM, mkawada@redhat.com wrote:
Whatever ways will do. For instance, in a thunderbird mail client, a pop-up message or notification email telling client that the password will be expired in XX days, something like this, would be nice.
IMAP has ALERT response which is supported by some clients. I think Thunderbird supports that. I don't think POP has such a feature, but I wouldn't care about POP. -- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net] --------------------------------------------------- PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
Alec-san,
Thanks for your comment.
Please lemme make sure one more thing.
IMAP has ALERT response which is supported by some clients.
To make it happen, no need to add any other configurations on LDAP end once possword policy is correctly set?
Thanks, Masaharu Kawada
On 2016年06月08日 17:27, A.L.E.C wrote:
On 06/08/2016 10:05 AM, mkawada@redhat.com wrote:
Whatever ways will do. For instance, in a thunderbird mail client, a pop-up message or notification email telling client that the password will be expired in XX days, something like this, would be nice. IMAP has ALERT response which is supported by some clients. I think Thunderbird supports that. I don't think POP has such a feature, but I wouldn't care about POP.
-- Masaharu Kawada
On 06/08/2016 10:39 AM, mkawada@redhat.com wrote:
To make it happen, no need to add any other configurations on LDAP end once possword policy is correctly set?
You've got me wrong. I just responded to Aki's question. ALERT feature could be used to send the message to the client, but there's no code to handle such LDAP password policies/notices yet. -- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org] Roundcube Webmail Developer [http://roundcube.net] --------------------------------------------------- PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
Alec-san,
Eexcuse me for my misconception.
Anyway, appreciate your comment.
Thanks, Masaharu Kawada
On 2016年06月08日 17:51, A.L.E.C wrote:
On 06/08/2016 10:39 AM, mkawada@redhat.com wrote:
To make it happen, no need to add any other configurations on LDAP end once possword policy is correctly set? You've got me wrong. I just responded to Aki's question. ALERT feature could be used to send the message to the client, but there's no code to handle such LDAP password policies/notices yet.
-- Masaharu Kawada Technical Support Engineer Red Hat K K Ebisu Neonato 8F 1-18 Ebisu 4-chome, Shibuya-ku Tokyo 150-0013, Japan Direct: +81-3-5798-8347
Kawada-san, have you seen this page?
http://wiki2.dovecot.org/PostLoginScripting
You will need to write some shell code to determine the expiration, but it has examples of similar actions, including sending an ALERT.
On 6/8/2016 4:58 AM, mkawada@redhat.com wrote:
Alec-san,
Eexcuse me for my misconception.
Anyway, appreciate your comment.
Thanks, Masaharu Kawada
On 2016年06月08日 17:51, A.L.E.C wrote:
On 06/08/2016 10:39 AM, mkawada@redhat.com wrote:
To make it happen, no need to add any other configurations on LDAP end once possword policy is correctly set? You've got me wrong. I just responded to Aki's question. ALERT feature could be used to send the message to the client, but there's no code to handle such LDAP password policies/notices yet.
The correct way to handle this IMAP-wise would be to return the EXPIRED response code (https://tools.ietf.org/html/rfc5530#section-3). But this requires client support to report to the end user. (And also requires that Dovecot would be able to determine from authentication source that the credentials are expired, as opposed to incorrect.) michael
On June 8, 2016 at 2:51 AM "A.L.E.C" <alec@alec.pl> wrote:
On 06/08/2016 10:39 AM, mkawada@redhat.com wrote:
To make it happen, no need to add any other configurations on LDAP end once possword policy is correctly set?
You've got me wrong. I just responded to Aki's question. ALERT feature could be used to send the message to the client, but there's no code to handle such LDAP password policies/notices yet.
-- Aleksander 'A.L.E.C' Machniak Kolab Groupware Developer [http://kolab.org]
Roundcube Webmail Developer [http://roundcube.net]
--------------------------------------------------- PGP: 19359DC1 @@ GG: 2275252 @@ WWW: http://alec.pl
El 08/06/2016 a las 03:37 a.m., mkawada@redhat.com escribió:
Dear list,
Is it possible to give a notification about password exprire warning to users authenticated by OpenLDAP when the users login via dovecot using IMAP or POP? For example, when you ssh to a server and/or run ldapsearch, you can be warned with password expire warning like below:
# ssh testuser@localhost testuser@localhost's password: Your password will expire in 31 minute(s). <== Last login: Wed Jun 8 12:22:08 2016 from localhost.localdomain
]$ ldapsearch -LLL -D uid=testuser,ou=People,dc=example,dc=com -w redhat "cn=testuser" -e ppolicy ldap_bind: Success (0) (Password expires in 1808 seconds) <== dn: uid=testuser,ou=People,dc=example,dc=com
Does the same can be done for dovecot users authenticated by OpenLDAP in IMAP/POP?
Thanks,
I think the easiest solution it to send a mail to the user that the password will expire. A cron job and a shell script should do the work. I don't know any mechanism to send this kind of message via POP.
Saludos, Juan.
I think the easiest solution it to send a mail to the user that the password will expire. A cron job and a shell script should do the work. I don't know any mechanism to send this kind of message via POP.
I agree with you. Don’t bother trying to alert the user when he logs in (where there is no universal client support for such alerts). But, simply send a notification message from a cron script to their mailbox (a couple days before expiration). You could mark the message as high priority/urgent just in case their client displays such messages more prominently than normal inbox new messages. IMAP or POP login is usually done by the email client in the background and the user isn’t necessarily even around to handle the alert. But, clients are used to alerting the user that they have new mail.
So, simply sending a notification message, from a cron job, to their INBOX is definitely the way I would go.
Kevin
On Jun 8, 2016, at 9:31 AM, Juan Bernhard <juan@inti.gob.ar> wrote:
El 08/06/2016 a las 03:37 a.m., mkawada@redhat.com <mailto:mkawada@redhat.com> escribió:
Dear list,
Is it possible to give a notification about password exprire warning to users authenticated by OpenLDAP when the users login via dovecot using IMAP or POP? For example, when you ssh to a server and/or run ldapsearch, you can be warned with password expire warning like below:
# ssh testuser@localhost testuser@localhost's password: Your password will expire in 31 minute(s). <== Last login: Wed Jun 8 12:22:08 2016 from localhost.localdomain
]$ ldapsearch -LLL -D uid=testuser,ou=People,dc=example,dc=com -w redhat "cn=testuser" -e ppolicy ldap_bind: Success (0) (Password expires in 1808 seconds) <== dn: uid=testuser,ou=People,dc=example,dc=com
Does the same can be done for dovecot users authenticated by OpenLDAP in IMAP/POP?
Thanks,
I think the easiest solution it to send a mail to the user that the password will expire. A cron job and a shell script should do the work. I don't know any mechanism to send this kind of message via POP.
Saludos, Juan.
Hi list,
I very much appreciate you all who gave me a help on my question.
Will check and try the stuff based on the given info from you guys.
Thanks a million!
Masaharu Kawada
On 2016年06月09日 00:26, KT Walrus wrote:
I think the easiest solution it to send a mail to the user that the password will expire. A cron job and a shell script should do the work. I don't know any mechanism to send this kind of message via POP. I agree with you. Don’t bother trying to alert the user when he logs in (where there is no universal client support for such alerts). But, simply send a notification message from a cron script to their mailbox (a couple days before expiration). You could mark the message as high priority/urgent just in case their client displays such messages more prominently than normal inbox new messages. IMAP or POP login is usually done by the email client in the background and the user isn’t necessarily even around to handle the alert. But, clients are used to alerting the user that they have new mail.
So, simply sending a notification message, from a cron job, to their INBOX is definitely the way I would go.
Kevin
On Jun 8, 2016, at 9:31 AM, Juan Bernhard <juan@inti.gob.ar> wrote:
El 08/06/2016 a las 03:37 a.m., mkawada@redhat.com <mailto:mkawada@redhat.com> escribió:
Dear list,
Is it possible to give a notification about password exprire warning to users authenticated by OpenLDAP when the users login via dovecot using IMAP or POP? For example, when you ssh to a server and/or run ldapsearch, you can be warned with password expire warning like below:
# ssh testuser@localhost testuser@localhost's password: Your password will expire in 31 minute(s). <== Last login: Wed Jun 8 12:22:08 2016 from localhost.localdomain
]$ ldapsearch -LLL -D uid=testuser,ou=People,dc=example,dc=com -w redhat "cn=testuser" -e ppolicy ldap_bind: Success (0) (Password expires in 1808 seconds) <== dn: uid=testuser,ou=People,dc=example,dc=com
Does the same can be done for dovecot users authenticated by OpenLDAP in IMAP/POP?
Thanks,
I think the easiest solution it to send a mail to the user that the password will expire. A cron job and a shell script should do the work. I don't know any mechanism to send this kind of message via POP.
Saludos, Juan.
-- Masaharu Kawada
participants (7)
-
A.L.E.C
-
Aki Tuomi
-
Juan Bernhard
-
KT Walrus
-
Michael Slusarz
-
mkawada@redhat.com
-
Tom Talpey