Communicating kerberos password expiration

[Dan White]

On 02/14/15 09:33 -0600, Jason L Tibbitts III wrote:
>I know this isn't entirely a Cyrus question, but I figure some folks
>here would have some idea of my issue.
>
>Basically, we use Kerberos authentication with Cyrus.  The passwords in
>Kerberos expire.  With shell and (Linux) desktop logins and such, the
>system alerts users and if necessary forces them to change their
>password.  And obviously these days it's not terribly useful to actually
>mail someone with information about their password expiring.
>
>My understanding is that IMAP has a limited way to communicate password
>expiration (through the EXPIRED response code).  Does Cyrus support
>communicating that to the client when appropriate?  Anyone know if any
>clients actually do something useful with it?  Does anyone know if the
>protocol (or Cyrus) has any way to communicate password expiration in
>advance of the password actually expiring?  ("You have 5 days to change
>your password" or something like that.)
>
>Really I'd like to integrate something with the Horde webmail system to
>at least cover webmail-only users.  I can actually hack on that a bit,
>but I'll obviously ask the Horde people about that.  Though I wouldn't
>turn down any advice there either if someone here happened to have any.

I haven't found it common for IMAP clients to display Quota alerts, but I
haven't extensively tested. Squirrel mail, and perhaps Horde, will display
Quota Alerts, so it's possible that it would display any alert provided by
the imap server.

There is an annotation (/comment) which you can set per mailbox, which
should result in an alert being displayed:

https://cyrusimap.org/mediawiki/index.php/FAQ

That would allow you to implement the password change notification via
an external process, such as with the cyradm perl library.

I'm unfamiliar with the EXPIRED response code or what Cyrus' plans are for
supporting it.

-- 
Dan White