Control of expired passwords with SASL + LDAP

Howard Chu hyc at highlandsun.com
Fri Oct 23 17:01:51 EDT 2009


Dan White wrote:
> On 23/10/09 12:20 -0200, Sandro Venezuela wrote:
>> I'm using LDAP to authenticate users on the Cyrus Imap Server, with
>> Thunderbird and eGroupware, and also in the workstations.
>>
>> On the E-mail server, I'm using saslauthd with LDAP and when password
>> expires, you can still access the mailbox through Thunderbird.
>>
>> My goal is just to solve this problem, because both eGroupware and PAM
>> already do this for me.
>
> I'm guessing 'ldap_auth_method: fastbind' with 'ldap_use_sasl: no' will
> honor slapo-ppolicy. Your 'ldap_filter' option will need to resolve to the
> user's DN.
>
> See 'saslauthd/LDAP_SASLAUTHD' in the sasl source for documentation.
>
> slapo-ppolicy uses its own expiration configuration, so you would need to
> maintain your pam configuration (for non imap logins) and slapo-ppolicy in
> parallel.
>
> Alternatively, you could go down the pam_ldap rabbit hole and configure
> saslauthd to use pam.
>
The pam_ldap approach may be best for now. (Of course I would recommend using 
OpenLDAP's nssov instead, or the nss-pam-ldapd as a 2nd choice, over the 
actual pam_ldap code.)

While the current LDAP mech for SASL authentication doesn't support LDAP 
password policy, I expect to be adding this soon, hopefully in time for the 
next OpenLDAP release.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list