[horde] PAM auth and expiring passwords

Michael J Rubinsky mrubinsk at horde.org
Mon Nov 16 21:24:50 UTC 2015 

Quoting Jason L Tibbitts III <tibbs at math.uh.edu>:

>>>>>> "MJR" == Michael J Rubinsky <mrubinsk at horde.org> writes:
>
> MJR> http://svn.php.net/viewvc/pecl/pam/trunk/README?view=markup there
> MJR> is a parameter to check system account management (including
> MJR> expiriation date, login hours etc...). However, it seems it might
> MJR> require root access.
>
> I don't think it requires root if things are going via sssd, but my
> understanding is that the parameter defaults to true in any case.
>
> Password expiration does appear to be checked case and auth properly
> fails for expired passwords.  My question relates more to what I can
> actually do with that information within horde.  Currently if the
> password is expiring, the user is logged in and receives no useful
> message.  If the password has expired, they are simply denied access.
>
> I suppose this involves hooking the auth function to present an alert
> with any informative text that the PAM call returns in the case that
> it's successful, and to provide more useful information if the call
> fails.  I guess the first step is logging the actual output string from
> the PAM call so I can see exactly what is returned.

The pam_auth call only returns a boolean. There is an $error parameter  
that is supposed to receive a string value indicating the type of  
error. You should check the value of $error to see if any actual  
useful information is returned.

> If PAM doesn't work, I'll have to collect the account expiry information
> in a separate database and query that at login time.  It might be useful
> to do that for other things like disk quota anyway.  We have many users
> who don't really interact with our systems other than by uploading files
> and via webmail, and of course we can't send them email about expiring
> passwords or quotas because of all the phishing.

If your IMAP server supports quotas, you can use IMP's built in  
support for quotas.

>
>  - J<



-- 
mike
The Horde Project
http://www.horde.org
https://www.facebook.com/hordeproject
https://www.twitter.com/hordeproject
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5751 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20151116/063c29ab/attachment.bin>

More information about the horde mailing list