On Sunday 15 June 2003 17.54, Frank Fegert wrote:
> we're using squid with the squid-ldap-auth helper to authenticate
> users & groups against NDS. The NDS uses password aging with three
> "goodwill" (whats the word in english?) logins after password
> expiration. The problem right now is that the squid-auth helper
> consumes all "goodwill" logins after a password has expired,
> without informing the user about that fact. Thus the next logon to
> the OS is denied and the user has no chance to change his password.
> Is there a way to circumvent this problem?
You need to write an additional helper which checks the password
expiration in your NDS tree, and then deny the user access if his
password is expired or about to expire, with a message that he needs
to change the password (see external_acl_type and deny_info
directives)
The helper can most likely be written as a small shell script running
ldapsearch and date.. but you need to know how the expiry time is
recorded in the NDS LDAP tree (almost certainly an attribute of the
user object)
Regards
Henrik
-- Donations welcome if you consider my Free Squid support helpful. https://www.paypal.com/xclick/business=hno%40squid-cache.org If you need commercial Squid support or cost effective Squid or firewall appliances please refer to MARA Systems AB, Sweden http://www.marasystems.com/, info@marasystems.comReceived on Sun Jun 15 2003 - 11:26:12 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:22 MST