[Dovecot] LDAP expired password
hi all, I'm using postfix, LDAP, dovecot and horde for webmail. user and password information is stored in LDAP. I'm attempting to get password aging working properly and am not having much luck. even if password has expired user can login, can i tell dovecot to control the LDAP field shadowexpired? or is there some other way to check properly that the password is expired before allowing the user log in?
thank's /roby
roberto palmarin <rpalmarin@yahoo.com> wrote:
I'm using postfix, LDAP, dovecot and horde for webmail. user and password information is stored in LDAP. I'm attempting to get password aging working properly and am not having much luck. even if password has expired user can login, can i tell dovecot to control the LDAP field shadowexpired? or is there some other way to check properly that the password is expired before allowing the user log in?
Have a look at the ppolicy slapd.overlay. This will solve your problem.
Grüße, Sven.
-- Sig lost. Core dumped.
On 1/4/2011 11:09 πμ, Sven Hartge wrote:
Have a look at the ppolicy slapd.overlay. This will solve your problem.
I just wanted to mention that there are significant integration issues of openldap ppolicy overlay in other software.
(We also aren't sure Rob is using OpenLDAP - he hasn't mentioned.)
There are issues with password expiration warnings. See for example: http://lists.horde.org/archives/sork/Week-of-Mon-20091005/002973.html. Horde integration might provide solutions to the issues.
In many cases, a separate or a supplemental (to ppolicy) password management process should be established, like: http://tools.ltb-project.org/news/14 (which I haven't used myself). This could be expanded and/or tied to a cron-job that would send warnings to users etc. based on ldapsearch results.
Nick
Nikolaos Milas <nmilas@noa.gr> wrote:
On 1/4/2011 11:09 πμ, Sven Hartge wrote:
Have a look at the ppolicy slapd.overlay. This will solve your problem.
I just wanted to mention that there are significant integration issues of openldap ppolicy overlay in other software.
Right. You need to be careful integrating this overlay.
In many cases, a separate or a supplemental (to ppolicy) password management process should be established, like: http://tools.ltb-project.org/news/14 (which I haven't used myself). This could be expanded and/or tied to a cron-job that would send warnings to users etc. based on ldapsearch results.
At my university we introduced our own attribute gifb-status which contains a "1" if an account is valid, a "0" if it is not (and several others for different purposes) and our ldap-filters all contain something like "(&(ou=foobar)(gifb-status=1))".
The status is changed by a nightly cron-job, which checks if the account is still valid or if it has to be deactived.
This extra attribute of course only works if you are able to change the filter a programm uses. If not, you have to implement different procedures, like moving the password hash out of userPassword to cause the login to fail.
Grüße, Sven.
-- Sig lost. Core dumped.
Sven Hartge <sven <at> svenhartge.de> writes:
Nikolaos Milas <nmilas <at> noa.gr> wrote:
On 1/4/2011 11:09 πμ, Sven Hartge wrote:
Have a look at the ppolicy slapd.overlay. This will solve your problem.
hello all Sorry for the delay in the response I checked the ppolicy overlay but without success. This overlay does not have a single "password expired" attribute to put in the user_filter.
currently my dovecot-ldap.conf contain:
user_filter (&(|( = uid =% u) (employeeNumber =% u)) (objectClass = inetOrgPerson) (accountStatus = active))
At my university we introduced our own attribute gifb-status which contains a "1" if an account is valid, a "0" if it is not (and several others for different purposes) and our ldap-filters all contain something like "(&(ou=foobar)(gifb-status=1))".
is possible that the only way to do this is to manage a new attribute? how can understand all the people that have configured the mail client to authenticate with imap-dovecot that their passoword has expired?
thanks / roby
rpalmarin <rpalmarin@yahoo.com> wrote:
Sven Hartge <sven <at> svenhartge.de> writes:
Nikolaos Milas <nmilas <at> noa.gr> wrote:
On 1/4/2011 11:09 πμ, Sven Hartge wrote:
Have a look at the ppolicy slapd.overlay. This will solve your problem.
Sorry for the delay in the response I checked the ppolicy overlay but without success. This overlay does not have a single "password expired" attribute to put in the user_filter.
I think you misunderstood the usage of the overlay.
There is _no_ additional attribute to check. With ppolicy any authentication will fail if some previously defined conditions are met (or no longer met) like the max age of a password.
Documentation is contained in "man slapo-ppolicy", which as bit hard to understand, I must admit.
Also look at http://www.openldap.org/doc/admin24/overlays.html "12.10 Password Policies" has a nice example.
With this overlay you don't need any additional attributes and no maintenance or houskeeping script to invalidate expired passwords.
At my university we introduced our own attribute gifb-status which contains a "1" if an account is valid, a "0" if it is not (and several others for different purposes) and our ldap-filters all contain something like "(&(ou=foobar)(gifb-status=1))".
is possible that the only way to do this is to manage a new attribute? how can understand all the people that have configured the mail client to authenticate with imap-dovecot that their passoword has expired?
Well, either way (using ppolicy or an additional attribute): they will call the support desk, if they are unable to understand the message from their mail client. No way to fix _this_ problem, I am afraid ;)
S°
-- Sigmentation fault. Core dumped.
participants (4)
-
Nikolaos Milas
-
roberto palmarin
-
rpalmarin
-
Sven Hartge