[Dovecot] LDAP expired password

Sven Hartge sven at svenhartge.de
Thu Nov 10 23:15:05 EET 2011


rpalmarin <rpalmarin at yahoo.com> wrote:
> Sven Hartge <sven <at> svenhartge.de> writes:
>> Nikolaos Milas <nmilas <at> noa.gr> wrote:
>>> On 1/4/2011 11:09 πμ, Sven Hartge wrote:
 
>>>> Have a look at the ppolicy slapd.overlay. This will solve your
>>>> problem.

> Sorry for the delay in the response I checked the ppolicy overlay but
> without success. This overlay does not have a single "password
> expired" attribute to put in the user_filter.

I think you misunderstood the usage of the overlay.

There is _no_ additional attribute to check. With ppolicy any
authentication will fail if some previously defined conditions are met
(or no longer met) like the max age of a password.

Documentation is contained in "man slapo-ppolicy", which as bit hard to
understand, I must admit.

Also look at http://www.openldap.org/doc/admin24/overlays.html 
"12.10 Password Policies" has a nice example.

With this overlay you don't need any additional attributes and no
maintenance or houskeeping script to invalidate expired passwords.

>> At my university we introduced our own attribute gifb-status which
>> contains a "1" if an account is valid, a "0" if it is not (and
>> several others for different purposes) and our ldap-filters all
>> contain something like "(&(ou=foobar)(gifb-status=1))".

> is possible that the only way to do this is to manage a new attribute?
> how can understand  all the people that have configured the mail
> client to authenticate with imap-dovecot that their passoword has
> expired?

Well, either way (using ppolicy or an additional attribute): they will
call the support desk, if they are unable to understand the message from
their mail client. No way to fix _this_ problem, I am afraid ;)

S°

-- 
Sigmentation fault. Core dumped.




More information about the dovecot mailing list