Hi Isabelle,
We also use LDAP and have attributes for password expiration. Our
CCA deployment is out of band. What we do is have a "probation" role
that we put people into if their password has expired or if they have
been disallowed network access.
The probation role is associated with a probation VLAN, and that VLAN
has route map policies that only allow traffic to a single web server
that will tell the user why they are probated, and allow them to do
password self-service, etc.
If you would like more technical information on how we accomplished
this, feel free to contact me.
Eric J. Kenny
Network Analyst
Marist College
3399 North Rd.
Poughkeepsie, NY 12601
845.575.3820
On May 6, 2008, at 10:36 AM, Isabelle Graham wrote:
We are looking at developing a way to have the CCA Agent notify
users at log in of eminent password
expiration. Out authentication mechanism is LDAP and we have LDAP
attributes for password expiration
date and number of remaining grace logins. However, given the
limited boolean actions available for LDAP attributes, I don't see
a way to have the warning only appear, say, when the user's
password will expire in the next 7 days or the grace logins are
below 5. Has anyone else done
something similar? Any insight is appreciated.
Thanks!
--
Isabelle Graham
Information Security
American University
