Control of expired passwords with SASL + LDAP
Paul
jpb at entel.ca
Tue Nov 3 12:56:30 EST 2009
Howard Chu wrote:
> Dan White wrote:
>
>> On 22/10/09 21:36 -0200, Sandro Venezuela wrote:
>>
>>> Hi,
>>>
>>> I have a e-mail server with Cyrus + SASL + LDAP and would like to
>>> prohibit access to mailbox of the User when it is with the expired
>>> password. How can I do that?
>>>
>> Sandro,
>>
>> Cyrus SASL doesn't have a concept of password expiry. What mechanism is
>> controlling when your passwords expire? OpenLDAP ppolicy? or system
>> expiration (PAM)?
>>
>>
> This isn't quite correct. Cyrus SASL in fact defines a SASL_EXPIRED error
> code. However, the only Cyrus mech that currently uses this code is the OTP mech.
>
> Unfortunately the Cyrus SASL auxprop mechanism doesn't define any method for
> auxprop plugins to return this type of status information. Looking at the
> code, it's not really obvious where such a status should be exposed. It would
> certainly be nice to patch this in though.
>
>
So for all practical intents and purposes, Sandro is correct. Anything
else is an exercise in hair splitting. If a defined mechanism has no way
in which to be used, it might as well not be there, although I can see
where the functionality may be planned and "on the way" but not finished
yet.
--
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20091103/6e4e1510/attachment.html
More information about the Cyrus-sasl
mailing list