rpalmarin <rpalma...@yahoo.com> wrote: > Sven Hartge <sven <at> svenhartge.de> writes: >> Nikolaos Milas <nmilas <at> noa.gr> wrote: >>> On 1/4/2011 11:09 πμ, Sven Hartge wrote: >>>> Have a look at the ppolicy slapd.overlay. This will solve your >>>> problem.
> Sorry for the delay in the response I checked the ppolicy overlay but > without success. This overlay does not have a single "password > expired" attribute to put in the user_filter. I think you misunderstood the usage of the overlay. There is _no_ additional attribute to check. With ppolicy any authentication will fail if some previously defined conditions are met (or no longer met) like the max age of a password. Documentation is contained in "man slapo-ppolicy", which as bit hard to understand, I must admit. Also look at http://www.openldap.org/doc/admin24/overlays.html "12.10 Password Policies" has a nice example. With this overlay you don't need any additional attributes and no maintenance or houskeeping script to invalidate expired passwords. >> At my university we introduced our own attribute gifb-status which >> contains a "1" if an account is valid, a "0" if it is not (and >> several others for different purposes) and our ldap-filters all >> contain something like "(&(ou=foobar)(gifb-status=1))". > is possible that the only way to do this is to manage a new attribute? > how can understand all the people that have configured the mail > client to authenticate with imap-dovecot that their passoword has > expired? Well, either way (using ppolicy or an additional attribute): they will call the support desk, if they are unable to understand the message from their mail client. No way to fix _this_ problem, I am afraid ;) S° -- Sigmentation fault. Core dumped.