[Dovecot] LDAP expired password
Sven Hartge
sven at svenhartge.de
Thu Nov 10 23:15:05 EET 2011
rpalmarin <rpalmarin at yahoo.com> wrote:
> Sven Hartge <sven <at> svenhartge.de> writes:
>> Nikolaos Milas <nmilas <at> noa.gr> wrote:
>>> On 1/4/2011 11:09 πμ, Sven Hartge wrote:
>>>> Have a look at the ppolicy slapd.overlay. This will solve your
>>>> problem.
> Sorry for the delay in the response I checked the ppolicy overlay but
> without success. This overlay does not have a single "password
> expired" attribute to put in the user_filter.
I think you misunderstood the usage of the overlay.
There is _no_ additional attribute to check. With ppolicy any
authentication will fail if some previously defined conditions are met
(or no longer met) like the max age of a password.
Documentation is contained in "man slapo-ppolicy", which as bit hard to
understand, I must admit.
Also look at http://www.openldap.org/doc/admin24/overlays.html
"12.10 Password Policies" has a nice example.
With this overlay you don't need any additional attributes and no
maintenance or houskeeping script to invalidate expired passwords.
>> At my university we introduced our own attribute gifb-status which
>> contains a "1" if an account is valid, a "0" if it is not (and
>> several others for different purposes) and our ldap-filters all
>> contain something like "(&(ou=foobar)(gifb-status=1))".
> is possible that the only way to do this is to manage a new attribute?
> how can understand all the people that have configured the mail
> client to authenticate with imap-dovecot that their passoword has
> expired?
Well, either way (using ppolicy or an additional attribute): they will
call the support desk, if they are unable to understand the message from
their mail client. No way to fix _this_ problem, I am afraid ;)
S°
--
Sigmentation fault. Core dumped.
More information about the dovecot
mailing list