Control of expired passwords with SASL + LDAP
Howard Chu
hyc at highlandsun.com
Tue Nov 3 23:53:59 EST 2009
Paul wrote:
> Howard Chu wrote:
>> Dan White wrote:
>>
>>> On 22/10/09 21:36 -0200, Sandro Venezuela wrote:
>>>
>>>> Hi,
>>>>
>>>> I have a e-mail server with Cyrus + SASL + LDAP and would like to
>>>> prohibit access to mailbox of the User when it is with the expired
>>>> password. How can I do that?
>>>>
>>> Sandro,
>>>
>>> Cyrus SASL doesn't have a concept of password expiry. What mechanism is
>>> controlling when your passwords expire? OpenLDAP ppolicy? or system
>>> expiration (PAM)?
>>>
>>>
>> This isn't quite correct. Cyrus SASL in fact defines a SASL_EXPIRED error
>> code. However, the only Cyrus mech that currently uses this code is the OTP mech.
>>
>> Unfortunately the Cyrus SASL auxprop mechanism doesn't define any method for
>> auxprop plugins to return this type of status information. Looking at the
>> code, it's not really obvious where such a status should be exposed. It would
>> certainly be nice to patch this in though.
> So for all practical intents and purposes, Sandro is correct. Anything
> else is an exercise in hair splitting. If a defined mechanism has no way
> in which to be used, it might as well not be there, although I can see
> where the functionality may be planned and "on the way" but not finished
> yet.
The point of my message was to open the discussion about how to get this
implemented, not to split hairs about whether or not it's supported. Clearly
it needs to be worked on.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
More information about the Cyrus-sasl
mailing list