New feature proposal

hu jason jasonhu2088 at gmail.com
Fri Jun 1 04:07:48 EDT 2012


Hi everyone:

     I am using OpenLDAP and saslauthd to do pass-through authentication.
The backend AD stores the real passwd.

     With saslauthd, I used '-c' to enable passwd cache and '-t 604800' to
set the cache timeout to 7 days.

     Everything works all right now, but I got a problem:



    As the AD administrator set a policy to force users reset their passwd
every 90 days, If someone change their passwd in AD, the cache in saslauthd
is still there, so the user can and ONLY can get authenticated using their
OLD passwd.

    So, I wonder, if saslauthd can add an new option, to change the
sequence of authentication:

         1: Always authenticate the users DIRECTLY with the backend(in my
situation, the AD).
         2: If successfully authenticated with the backend, then update the
saslauthd cache.
         3: If the backend is not available, e.g., due to network failure
or something else, authenticate with the saslauthd cache.



   I think this feature is really helpful, maybe we could discuss furthur
about this.

   Or, If you people get greater methods to get what I want,  please tell
me.

    Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/attachments/20120601/807095dc/attachment.html 


More information about the Cyrus-sasl mailing list