[horde] PAM auth and expiring passwords

[Jason L Tibbitts III]

>>>>> "MJR" == Michael J Rubinsky <mrubinsk at horde.org> writes:

MJR> http://svn.php.net/viewvc/pecl/pam/trunk/README?view=markup there
MJR> is a parameter to check system account management (including
MJR> expiriation date, login hours etc...). However, it seems it might
MJR> require root access.

I don't think it requires root if things are going via sssd, but my
understanding is that the parameter defaults to true in any case.

Password expiration does appear to be checked case and auth properly
fails for expired passwords.  My question relates more to what I can
actually do with that information within horde.  Currently if the
password is expiring, the user is logged in and receives no useful
message.  If the password has expired, they are simply denied access.

I suppose this involves hooking the auth function to present an alert
with any informative text that the PAM call returns in the case that
it's successful, and to provide more useful information if the call
fails.  I guess the first step is logging the actual output string from
the PAM call so I can see exactly what is returned.

If PAM doesn't work, I'll have to collect the account expiry information
in a separate database and query that at login time.  It might be useful
to do that for other things like disk quota anyway.  We have many users
who don't really interact with our systems other than by uploading files
and via webmail, and of course we can't send them email about expiring
passwords or quotas because of all the phishing.

 - J<