I am using OpenLDAP and saslauthd to do pass-through authentication. The backend AD stores the real passwd.
With saslauthd, I used '-c' to enable passwd cache and '-t 604800' to set the cache timeout to 7 days.
Everything works all right now, but I got a problem:
As the AD administrator set a policy to force users reset their passwd every 90 days, If someone change their passwd in AD, the cache in saslauthd is still there, so the user can and ONLY can get authenticated using their OLD passwd.
So, I wonder, if saslauthd can add an new option, to change the sequence of authentication:
1: Always authenticate the users DIRECTLY with the backend(in my situation, the AD).
2: If successfully authenticated with the backend, then update the saslauthd cache.
3: If the backend is not available, e.g., due to network failure or something else, authenticate with the saslauthd cache.
I think this feature is really helpful, maybe we could discuss furthur about this.
Or, If you people get greater methods to get what I want, please tell me.
Thanks.
