On Thu, 23 Dec 2004 [EMAIL PROTECTED] wrote:
I am still running into the same wall that I did at the beginning. The big thing I am being asked for by my boss is the ability to detect an expired password. As far as I've found from trolling the archives, the only projects to handle this sort of thing are now old and unmaintained and all of the authenticators I got working well report only OK or ERR.
First question first: Where do you want the account information to be stored?
I had hoped to use our fresh new Windows AD in some way to provide the authentication since my early NTLM and Samba authenticator experiments were all too flaky to put into a production system and I'd read many posts on this list suggesting LDAP authentication against AD.
Ok. this answers the above. You should then get password expiry automatic by the AD. When the password is expired the user won't be able to authenticate to the proxy.
I got this working nicely using the squid_ldap_auth helper program and a username/group filter like "(&(CN=%s)(memberOf=CN=InternetUsers))". This is great but the demand from on high still stands. The helper returns only OK or ERR!
Ah, I think I see where you are going. You want a message telling the user his password have expired? Unfortunately LDAP as such does not have any such indications (a login is either successful or failed).
So are there any "live" projects out there that can help? As I mentioned, I'd like to use the AD as a source to save having to maintain seperate user lists - and frankly our users have enough problems remembering passwords as it is - but I need to trap expired passwords and at least redirect the user to a web page saying "Your password has expired! Go change it!".
Not sure if the AD allows the login (via LDAP) at all when the password have expired.
Try using standard LDAP tools to explore the directory as different users.
Regards Henrik
