[imp] Horde Password Aging, allow change at login ?
steen at ing-steen.se
steen at ing-steen.se
Thu May 6 19:41:39 UTC 2010
> >> >> Message: 3
> >> >> Date: Tue, 04 May 2010 12:37:33 +0200
> >> >> From: Jan Schneider <jan at horde.org>
> >> >> To: imp at lists.horde.org
> >> >> Subject: Re: [imp] Horde Password Aging, allow change at login ?
> >> >> Message-ID: <20100504123733.17141ufabwz0bx8k at neo.wg.de>
> >> >> Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes";
> >> >> format="flowed"
> >> >>
> >> >> Zitat von steen at ing-steen.se:
> >> >>
> >> >> > Hello Folks!
> >> >> >
> >> >> > As far I can see Horde alerts when password is about to be aged,
and
> >> >> > finally locks one out, that is nice.
> >> >> >
> >> >> > Now to the questions, I am using LDAP as backend, all working
fine.
> >> >> >
> >> >> > Is there a standard hook to pop up in the user face when he/she
> > logins
> >> > and
> >> >> > password is expired, so they can change password ?
> >> >> > Am I on myself to write some PHP code who does the job ?
> >> >> >
> >> >> > I know it is possible to use preauth/postauth hook, but it is
"only
> >> >> > returning" variables back.
> >> >> > How do I kick off the password change forumlar ?
> >> >>
> >> >> I'm confused. In your first sentence you said that it's already
> >> >> working, so what do you still need?
> >> >>
> >> >> Jan.
> >> >>
> >> >> --
> >> >> Do you need professional PHP or Horde consulting?
> >> >> http://horde.org/consulting/
> >> >
> >> > Hello Jan!
> >> >
> >> > It is working to that point horde tell that account is expired,
nothing
> >> > more, you do not get any chanse to
> >> > change the password as user.
> >>
> >> But how would Horde know that, unless you have set it up to know about
> >> that? Or are you athenticating against IMAP and have set up your IMAP
> >> server to alert expired accounts? That would be an important piece of
> >> information.
> >>
> >> Jan.
> >>
> >> --
> >> Do you need professional PHP or Horde consulting?
> >> http://horde.org/consulting/
> >>
> >>
> >>
> >> ------------------------------
> >>
> >>
> >> --
> >> IMP mailing list
> >> Frequently Asked Questions: http://horde.org/faq/
> >> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
> >>
> >> End of imp Digest, Vol 2581, Issue 1
> >> ************************************
> >>
> >>
> >> McAfee check.
> >
> > Hello Jan!
> >
> > I have LDAP backend, and it is working now.
> >
> > Problem was that user is forced to change password at login only at day
0,
> > after that day user is blocked.
> > Althought we have grace period after password is expired till it lock
in
> > ldap, horde did not use that ldap attribute.
> >
> > I did this to make it work as I we need it.
> > /usr/share/horde/lib/Horde/Auth/ldap.php:
> > if ($toexpire < 0) {
> > $this->_authCredentials['changeRequested'] =
true;
> > // $this->_setAuthError(AUTH_REASON_EXPIRED);
> > // return false;
> > };
>
> I'm still confused. So, you configured the $conf[auth][params][*age]
> items in the Horde configuration, and they didn't work?
>
> Jan.
Hello Jan!
They work!
The parameters is set. Maby I misunderstood the functionallity a bit.
$conf['auth']['params']['minage'] = '0';
$conf['auth']['params']['maxage'] = '45';
$conf['auth']['params']['warnage'] = '5';
$conf['auth']['params']['password_expiration'] = 'yes';
The user got warned correctly by warnage, at maxage day the user is forced
to change password correctly.
When the maxage has passed, the user is locked out, I needed a graze period
after maxage is passed, that forces the user to change password at login
attempts.
In our environment, users might "miss" the warnage and be locked out, also
our users are sloppy and need to be forced doing things like change
passwords or they just let it be.
Normally this can be done by using: "shadowInactive = 90" so user got
forced for 90 days to change password after the maxage has passed.
But I salvaged it, by changing in the libs, horde is very flexible I must
say.
Regards //
// Peter Steen
McAfee check.
More information about the imp
mailing list