Re: [squid-users] LDAP Auth + Passwd expiry

From: Justin Hennessy <jhennessy@dont-contact.us>
Date: Mon, 16 Jun 2003 09:45:06 +0930

I think what Frank is talking about is "grace" logins (a number of chances after your password has expired).

Any ideas on how to check for this?

I am running NDS as well with a view to implementing the same system so I am interested to see if there is a fix.

>>> Christoph Haas <email@christoph-haas.de> 16/06/2003 1:51:47 am >>>
On Sun, Jun 15, 2003 at 05:54:06PM +0200, Frank Fegert wrote:
> we're using squid with the squid-ldap-auth helper to authenticate users &
> groups against NDS. The NDS uses password aging with three "goodwill"
> (whats the word in english?) logins after password expiration.

We use basically the same setup. The "goodwill" is called "intruder
lockout" in Novell slang.

> The problem right now is that the squid-auth helper consumes all "goodwill"
> logins after a password has expired, without informing the user about
> that fact. Thus the next logon to the OS is denied and the user has no
> chance to change his password.
> Is there a way to circumvent this problem?

The authentication cache in Squid distinguishes between positive
authentication (username and password matched) and negative
authentication (username/password mismatch). So the only case that a
user accidentally gets locked out is when he really tries to enter the
same (wrong) password three times. We are running LDAP authentication
against an NDS, too. During normal operation there are no users locked
out.

But maybe you talk about something else.

 Christoph

-- 
~
~
".signature" [Modified] 3 lines --100%--                3,41         All
Received on Sun Jun 15 2003 - 18:15:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:22 MST