Control of expired passwords with SASL + LDAP

Dan White dwhite at olp.net
Fri Oct 23 09:40:52 EDT 2009


Sandro,

ppolicy is documented in the slapo-ppolicy man page (from OpenLDAP). It may
not be a good fit if you're trying to enforce a password policy onto a
cyrus imap server.

You could use saslauthd with its PAM backend to enforce your password
policy, assuming you're only using PLAIN/LOGIN mechanisms.

How does LDAP fit into your overall picture?

On 23/10/09 11:10 -0200, Sandro Venezuela wrote:
>Thanks Dan for your reply.
>
>Today, expired passwords are controlled by PAM on the workstations and how
>do I use openSUSE Linux that is easy to  implement.
>
>But the server I'm  using only SASL+LDAP  and  wanted  something similar
>to PAM, but I'll be searching ont the Internet the use of  ppolicy to
>solve my problem.
>
>Do you have any documentation to show about ppolicy?
>
>Dan White escreveu:
>> On 22/10/09 21:36 -0200, Sandro Venezuela wrote:
>>> Hi,
>>>
>>> I have a e-mail server with Cyrus + SASL + LDAP and would like to
>>> prohibit access to mailbox of the User when it is with the expired
>>> password. How can I do that?
>>
>> Sandro,
>>
>> Cyrus SASL doesn't have a concept of password expiry. What mechanism is
>> controlling when your passwords expire? OpenLDAP ppolicy? or system
>> expiration (PAM)?

-- 
Dan White


More information about the Cyrus-sasl mailing list