[Dovecot] LDAP expired password

Sven Hartge sven at svenhartge.de
Fri Apr 1 14:46:36 EEST 2011

Nikolaos Milas <nmilas at noa.gr> wrote:
> On 1/4/2011 11:09 πμ, Sven Hartge wrote:

>> Have a look at the ppolicy slapd.overlay. This will solve your
>> problem.

> I just wanted to mention that there are significant integration issues
> of openldap ppolicy overlay in other software.

Right. You need to be careful integrating this overlay.

> In many cases, a separate or a supplemental (to ppolicy) password
> management process should be established, like:
> http://tools.ltb-project.org/news/14 (which I haven't used myself).
> This could be expanded and/or tied to a cron-job that would send
> warnings to users etc. based on ldapsearch results.

At my university we introduced our own attribute gifb-status which
contains a "1" if an account is valid, a "0" if it is not (and several
others for different purposes) and our ldap-filters all contain
something like "(&(ou=foobar)(gifb-status=1))".

The status is changed by a nightly cron-job, which checks if the account
is still valid or if it has to be deactived.

This extra attribute of course only works if you are able to change the
filter a programm uses. If not, you have to implement different
procedures, like moving the password hash out of userPassword to cause
the login to fail.


Sig lost. Core dumped.

More information about the dovecot mailing list