Hello,
Just some points you have to do to start working with password expiration :
- load ppolicy overlay and configure it to your database
- define a policy that enable password expiration (by setting its
pwdMaxAge attribute)
- make sure to apply it policy to your test user (must be the default
one of our database or applied using user's pwdPolicySubentry attribute)
- change your test user password to set its initial pwdChangedTime
attribute
After this initial configuration, you will able to retreive user's
password status on login if :
- you use a LDAP v3 connection
- you send a PasswordPolicyRequest control on user bind
- you handle PasswordPolicyResponse control return by the server
You could use the following python script that handle connection against
LDAP server with ppolicy enabled and that display bind result with
PasswordPolicyResponse controls details if available :
https://gitlab.easter-eggs.com/-/snippets/23
Note: make sure to use python 3 and python-ldap >= 3.3.0 for full
details. On Debian testing, you can easily pin python3-ldap package from
experimental
(https://packages.debian.org/experimental/amd64/python3-ldap/download).
On Debian stable, you could use this package:
http://apt.easter-eggs.com/debian/pool/main/p/python-ldap/python3-ldap_3.3.1-1~eebpo100+2_amd64.deb).
Regards,
Le 06/07/2021 à 17:14, Quanah Gibson-Mount a écrit :
--On Tuesday, June 29, 2021 6:34 PM -0500 cst labs <labs...@gmail.com>
wrote:
hello:
I am currently evaluating the OpenLDAP version 2.4.58. I was told by
someone that it does support the password expired control but I don't see
that it is working. As per the RFC, the server should send this control
as a part of response but it doesn't. I do see that the server returns
the password policy state control that has expired and warning
information. However, I am interested in the password expired control
since I am looking to support an existing implementation that leverages
that control. Can someone tell me how to configure openldap to return
that control?
I suggest reading the slapo-ppolicy(5) man page, which clearly documents
how to enable that control.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
--
Benjamin Renard - Easter-eggs
44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité
Phone: +33 (0) 1 43 35 00 37 - Fax: +33 (0) 1 43 35 00 76
mailto:bren...@easter-eggs.com - http://www.easter-eggs.com
