fvecchiatti_310
Nov 13, 2007Nimbostratus
LDAP authentication and password expiration management
Hello,
we have a cluster of Firepaas 4301. We use Novell Identity Manger's LDAP server as backend autentication.
The customer policy require a password expiration time.
So the problem is that because the password expiration notification with LDAP seems not
managed by the Firepass, users are not aware of the expiration and at the end are not able to connect.
The LDAP server has a GracePeriod feature that allow a number of connection after the expiration and also has a self provisioning web page where users can
manage their account.
Our idea is to make a configuration where at the start of the grace period we show only the Portal access to the ChangePassword web page so users are forced to renew thir account. This is a bit "brutal" but we don't see any other better solution.
The useful session we found are:
%session.ldap.auth.passwordexpirationtime%= ' 20080211090403Z '
%session.ldap.auth.passwordexpirationinterval%= ' 7776000 '
%session.ldap.auth.logingraceremaining%= ' 4 '
%session.ldap.auth.logingracelimit%= ' 4 '
Using the passwordexpirationinterval seems a good option, but are the <= operator supported in the LDAP filters ?
Now the problem is how to mix all this in one working configuration.
I'm trying to configure two Master groups (one with all the resources, one with only the password change web page) and use a LDAP filter to disable the main group when the grace period start to decrese.
But would be enough and easier to be able just to show a message or similar.
Any other experience on this would be very appreciated !!!
Many thanks !!
Federico Vecchiatti