Control of expired passwords with SASL + LDAP

Howard Chu hyc at highlandsun.com
Fri Oct 30 16:39:06 EDT 2009


Dan White wrote:
> On 22/10/09 21:36 -0200, Sandro Venezuela wrote:
>> Hi,
>>
>> I have a e-mail server with Cyrus + SASL + LDAP and would like to
>> prohibit access to mailbox of the User when it is with the expired
>> password. How can I do that?
> 
> Sandro,
> 
> Cyrus SASL doesn't have a concept of password expiry. What mechanism is
> controlling when your passwords expire? OpenLDAP ppolicy? or system
> expiration (PAM)?
> 
This isn't quite correct. Cyrus SASL in fact defines a SASL_EXPIRED error
code. However, the only Cyrus mech that currently uses this code is the OTP mech.

Unfortunately the Cyrus SASL auxprop mechanism doesn't define any method for
auxprop plugins to return this type of status information. Looking at the
code, it's not really obvious where such a status should be exposed. It would
certainly be nice to patch this in though.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/


More information about the Cyrus-sasl mailing list