Dan White wrote:
On 23/10/09 12:20 -0200, Sandro Venezuela wrote:
I'm using LDAP to authenticate users on the Cyrus Imap Server, with
Thunderbird and eGroupware, and also in the workstations.
On the E-mail server, I'm using saslauthd with LDAP and when password
expires, you can still access the mailbox through Thunderbird.
My goal is just to solve this problem, because both eGroupware and PAM
already do this for me.
I'm guessing 'ldap_auth_method: fastbind' with 'ldap_use_sasl: no' will
honor slapo-ppolicy. Your 'ldap_filter' option will need to resolve to the
user's DN.
See 'saslauthd/LDAP_SASLAUTHD' in the sasl source for documentation.
slapo-ppolicy uses its own expiration configuration, so you would need to
maintain your pam configuration (for non imap logins) and slapo-ppolicy in
parallel.
Alternatively, you could go down the pam_ldap rabbit hole and configure
saslauthd to use pam.
The pam_ldap approach may be best for now. (Of course I would recommend using
OpenLDAP's nssov instead, or the nss-pam-ldapd as a 2nd choice, over the
actual pam_ldap code.)
While the current LDAP mech for SASL authentication doesn't support LDAP
password policy, I expect to be adding this soon, hopefully in time for the
next OpenLDAP release.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
