Re: [squid-users] Detecting password expiry

On Thu, 23 Dec 2004 Ian.Large@salvesen.com wrote:

> I am still running into the same wall that I did at the beginning. The big
> thing I am being asked for by my boss is the ability to detect an expired
> password. As far as I've found from trolling the archives, the only
> projects to handle this sort of thing are now old and unmaintained and all
> of the authenticators I got working well report only OK or ERR.

First question first: Where do you want the account information to be
stored?

> I had hoped to use our fresh new Windows AD in some way to provide the
> authentication since my early NTLM and Samba authenticator experiments
> were all too flaky to put into a production system and I'd read many posts
> on this list suggesting LDAP authentication against AD.

Ok. this answers the above. You should then get password expiry automatic
by the AD. When the password is expired the user won't be able to
authenticate to the proxy.

> I got this working
> nicely using the squid_ldap_auth helper program and a username/group
> filter like "(&(CN=%s)(memberOf=CN=InternetUsers))". This is great but the
> demand from on high still stands. The helper returns only OK or ERR!

Ah, I think I see where you are going. You want a message telling the user
his password have expired? Unfortunately LDAP as such does not have any
such indications (a login is either successful or failed).

> So are there any "live" projects out there that can help? As I
> mentioned, I'd like to use the AD as a source to save having to maintain
> seperate user lists - and frankly our users have enough problems
> remembering passwords as it is - but I need to trap expired passwords
> and at least redirect the user to a web page saying "Your password has
> expired! Go change it!".

Not sure if the AD allows the login (via LDAP) at all when the password
have expired.

Try using standard LDAP tools to explore the directory as different users.

Regards
Henrik
Received on Thu Dec 23 2004 - 15:45:58 MST