Control of expired passwords with SASL + LDAP

Sandro Venezuela sandro at linux2business.com.br
Fri Oct 23 16:32:26 EDT 2009


Thanks again.

I'll be testing the use of openLDAP ppolicy and posting the results here
for everyone.

Dan White escreveu:
> On 23/10/09 12:20 -0200, Sandro Venezuela wrote:
>> I'm using LDAP to authenticate users on the Cyrus Imap Server, with
>> Thunderbird and eGroupware, and also in the workstations.
>>
>> On the E-mail server, I'm using saslauthd with LDAP and when password
>> expires, you can still access the mailbox through Thunderbird.
>>
>> My goal is just to solve this problem, because both eGroupware and PAM
>> already do this for me.
>
> I'm guessing 'ldap_auth_method: fastbind' with 'ldap_use_sasl: no' will
> honor slapo-ppolicy. Your 'ldap_filter' option will need to resolve to
> the
> user's DN.
>
> See 'saslauthd/LDAP_SASLAUTHD' in the sasl source for documentation.
>
> slapo-ppolicy uses its own expiration configuration, so you would need to
> maintain your pam configuration (for non imap logins) and
> slapo-ppolicy in
> parallel.
>
> Alternatively, you could go down the pam_ldap rabbit hole and configure
> saslauthd to use pam.
>

-- 
Sandro Venezuela
Especialista Linux
______________________________________
  Linux2Business - Soluções em Linux
Rua Aracati, 488 - Santo André - SP
Fone: (11) 4472-4418 - (11) 8485-1049
      www.linux2business.com.br
______________________________________ 



More information about the Cyrus-sasl mailing list