1

Topic: Force Users to change password in 90 days???

http://www.iredmail.org/wiki/index.php? … in.90.Days

Any for LDAP???  Seems not shown in the wiki.

2

Re: Force Users to change password in 90 days???

You can try OpenLDAP password policy overlay: ppolicy.
Reference:
http://www.openldap.org/doc/admin24/ove … figuration

Roundcube will store password last change date in OpenLDAP by default since iRedMail-0.7.0, personally, i think a simple cron job is easier:

- Create a script to query OpenLDAP server, get list of users which didn't change password or is about to expire in 7 days.
- Send notification emails to these users, ask them to change password in time.

If you want to force users to change password after password expired:

- Create a script to query OpenLDAP server, get list of users which didn't change password or is about to expire in 7 days.
- Send notification emails to these users, ask them to change password in time.
- If password expired, store a special value in user objects. For example, enabledService=pwdexpired, or enabledService=forcechpwd, etc.
- Add addition LDAP query (query added special value) in Postfix like MySQL solution you mentioned in post, force them to change password while they trying sending out emails via SMTP service. Users can still fetch mails via POP3/IMAP this way.

3

Re: Force Users to change password in 90 days???

After apply ppolicy on ldap, do i need to apply roundcube also?  And will it apply to the iredadmin also?? 

About the roundcube.   should I update the latest roundcube to make it save on ldap by default.  Please advise.  Thanks.

4

Re: Force Users to change password in 90 days???

bongdotcom wrote:

After apply ppolicy on ldap, do i need to apply roundcube also?  And will it apply to the iredadmin also?? 

You HAVE TO config Roundcube to store password last change date in OpenLDAP, so that ppolicy overlay can read it.

bongdotcom wrote:

About the roundcube.   should I update the latest roundcube to make it save on ldap by default.

iRedMail supports this feature since iRedMail-0.7.0, reference: http://iredmail.org/wiki/index.php?titl … .6.1-0.7.0 (Search Roundcube in this upgrade tutorial)

Not sure the version of Roundcube you used support this feature, please check its config file (roundcubemail-x.y.z/plugins/password/config.inc.php) to verify it. If it doesn't support this feature, you'd better upgrade Roundcube manually.

5

Re: Force Users to change password in 90 days???

Thanks Michael.

The $rcmail_config['password_ldap_lchattr'] = 'shadowLastChange'; required upgrade roundcube mail to newer version.  For old version of iredmail pro 1.3 on RHEL, it need to upgrade the php from 5.1X to 5.2 first.  For 5.2 php, phpldapadmin from
From

protected function draw_dn($dn,$level=0,$first_child=true,$last_child=true) {

To
protected function draw_dn($dn,$level,$first_child=true,$last_child=true) {

The address format is int time() / 86400 = 5 digits int store in shadowLastChange.

But I have a question.  If the password change from iredadmin, how can we save to shadowLastChange?  Any idea? please advise.  Thanks.

6

Re: Force Users to change password in 90 days???

bongdotcom wrote:

The address format is int time() / 86400 = 5 digits int store in shadowLastChange.

That's correct. The integer number is number of days since Jan 01, 1970.

bongdotcom wrote:

But I have a question.  If the password change from iredadmin, how can we save to shadowLastChange?  Any idea?

iRedAdmin-Pro-LDAP stores shadowLastChange after resetting user password since version 1.5.0, store 'shadowLastChange=0' for newly created mail account since version 1.6.0.
iRedAdmin-Pro-MySQL will store password last change date in column mailbox.passwordlastchange in next release, version 1.3.1 (maybe 1.4.0).