> Has anyone gotten any version of the code to work with OpenLDAP?

No AFAIK.

> OpenLDAP doesn't send the extended error messages (account
> locked, password expired, etc) like SunDS and Active Directory do, so
> there's no way to tell one authentication exception from another.

The the ppolicy strategy you mentioned is a viable alternative.  I'm
picturing a pluggable password expiration policy framework where the
existing extended error-code mechanism is one implementation and
ppolicy another for OpenLDAP.  We have the resources and interest to
pursue the ppolicy implementation once the framework matures to
support multiple implementations.  No argument it significantly
increases the complexity, but it's necessary complexity for coverage
of an important directory like OpenLDAP.

M

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-dev

Reply via email to