Control of expired passwords with SASL + LDAP
Dan White
dwhite at olp.net
Fri Oct 23 11:33:01 EDT 2009
On 23/10/09 12:20 -0200, Sandro Venezuela wrote:
>I'm using LDAP to authenticate users on the Cyrus Imap Server, with
>Thunderbird and eGroupware, and also in the workstations.
>
>On the E-mail server, I'm using saslauthd with LDAP and when password
>expires, you can still access the mailbox through Thunderbird.
>
>My goal is just to solve this problem, because both eGroupware and PAM
>already do this for me.
I'm guessing 'ldap_auth_method: fastbind' with 'ldap_use_sasl: no' will
honor slapo-ppolicy. Your 'ldap_filter' option will need to resolve to the
user's DN.
See 'saslauthd/LDAP_SASLAUTHD' in the sasl source for documentation.
slapo-ppolicy uses its own expiration configuration, so you would need to
maintain your pam configuration (for non imap logins) and slapo-ppolicy in
parallel.
Alternatively, you could go down the pam_ldap rabbit hole and configure
saslauthd to use pam.
--
Dan White
More information about the Cyrus-sasl
mailing list