Forum Discussion

fvecchiatti_310's avatar
fvecchiatti_310
Icon for Nimbostratus rankNimbostratus
Nov 13, 2007

LDAP authentication and password expiration management

Hello,

 

 

we have a cluster of Firepaas 4301. We use Novell Identity Manger's LDAP server as backend autentication.

 

The customer policy require a password expiration time.

 

So the problem is that because the password expiration notification with LDAP seems not

 

managed by the Firepass, users are not aware of the expiration and at the end are not able to connect.

 

The LDAP server has a GracePeriod feature that allow a number of connection after the expiration and also has a self provisioning web page where users can

 

manage their account.

 

Our idea is to make a configuration where at the start of the grace period we show only the Portal access to the ChangePassword web page so users are forced to renew thir account. This is a bit "brutal" but we don't see any other better solution.

 

 

The useful session we found are:

 

 

%session.ldap.auth.passwordexpirationtime%= ' 20080211090403Z '

 

%session.ldap.auth.passwordexpirationinterval%= ' 7776000 '

 

%session.ldap.auth.logingraceremaining%= ' 4 '

 

%session.ldap.auth.logingracelimit%= ' 4 '

 

 

Using the passwordexpirationinterval seems a good option, but are the <= operator supported in the LDAP filters ?

 

Now the problem is how to mix all this in one working configuration.

 

I'm trying to configure two Master groups (one with all the resources, one with only the password change web page) and use a LDAP filter to disable the main group when the grace period start to decrese.

 

But would be enough and easier to be able just to show a message or similar.

 

 

Any other experience on this would be very appreciated !!!

 

 

Many thanks !!

 

Federico Vecchiatti

 

3 Replies

  • You have a very similar configuration and problem as we do. I am just beginning my research and testing to find what works.

     

     

    Were you able to find a good configuration that works?
  • How are you populating these session fields? "session.ldap.auth.passwordexpirationtime"
  • We ran into a similar issue with handling password expirations. I add the following code to an 'LDAP Query' object in the Access Policy (on the successful branch from the 'LDAP Auth' object: Expression: set timeStamp [mcget {session.ldap.last.attr.passwordExpirationTime}]; set year [string range $timeStamp 0 3]; set month [string range $timeStamp 4 5]; set day [string range $timeStamp 6 7]; set hour [string range $timeStamp 8 9]; set minute [string range $timeStamp 10 11]; set second [string range $timeStamp 12 13]; set PXT [clock scan "$month/$day/$year $hour:$minute:$second" -gmt true]; set now [clock seconds]; expr {$PXT <= $now} If the expression is true it branches to a 'Redirect Ending' in the policy which redirects the user to the URL that handles the password change.. (This works with the timestamp that Novell uses in eDirectory)