While fixing a #bug of password expiration policy with OpenLDAP local accounts provider, a new issue was found:
- User has an expired password – see Effects of expired passwords
- User connects to
/user-settingspage to change their password but it does not work. Services based on PAM (like IMAP) are not accessible.
A. WONTFIX: Password expiration with OpenLDAP is rarely used, we can live with this limitation. Users with expired passwords call and get a new password from the sysadmin.
B. REMOVE the feature completely starting from NS 7.10. The Password policy is removed from the UI, LDAP
shadow* attributes are no longer enforced also in existing systems, which are forcibly migrated to a non-expiring password policy.
C. IMPLEMENT an alternative. New systems will be based on the new implementation. Old systems retain the current behavior. A manual migration path would be useful.
- A is a time-bomb, as it leaves the door open to sudden service lockouts
- C is optimal but it seems it is not worth the effort for a feature that is rarely used
What do you think?