"Password management - Effects of expired password"

GG_jr · May 28, 2016, 6:40am

Hello everybody,

and specially for @alefattorini , @davidep, @giacomo

I reproduce from the NethServer - Administrator Manual:

“After password expiration, the user will be able to read and send mails but can no longer access the shared folders and printers (Samba) or other computer if the machine is part of the domain.”

That mean that:

“Password management” works in totality only if we have at least a configured domain (with or without AD) and only for access of the shared folders and printers or other computers from the configured domain.
Even if we have or not a configured domain, for the Email module, apart for the fact that the users are forced to set strong password and receive warning emails about expiration of the password (with no effect if the password “has expired”), an important function, the “Effect of expired password” is useless.

IMO, this is a major issue regarding “Password management - Effects of expired password”.

The email module is the most exposed part of the informatic system and must be very well protected, not only by Fail2ban, antivirus, antispam, …

How can this issue be solved?

TIA,
Gabriel

PS

Can be a bug?

“A bug report means something is broken, preventing normal/typical use of NethServer.”

giacomo · May 30, 2016, 6:34am

This problem come from user provider implementation on NS 6 and there is no solution.
If you really need to disable a user, just delete it.

On NS 7, the password expiration is based on PAM using SSSD: an expired user should not be able to login to any service.

GG_jr · May 30, 2016, 6:44am

Hello Giacomo,

Thank you for your clarifications!

So, on NS 6.x this feature cannot be used but will be available on NS 7.x and above.

Can be this feature, to disable an user without deleted it or to temporary disable an user, available on NS 7.x and above?

TIA,
Gabriel

giacomo · May 30, 2016, 6:51am

You already can disable it, but some services do not respect the flag.

GG_jr · May 30, 2016, 7:17am

For now (alpha version) or and for the final version(s)?

I’m interesting for the email account and for the user account in AD.

giacomo · May 30, 2016, 7:29am

On NS 6 this is the actual behavior both for “user disabled” and “user expired”.
And it can’t be changed.

On NS 7 an expired or disabled user will not have access to any service (if SSSD claims are true ;))

GG_jr · May 30, 2016, 7:44am

I already understand that for NS 6.x doesn’t work and will not work!

I referred to NS 7.x.

You answered that: “You already can disable it, but some services do not respect the flag.” and I understand that is for NS 7.x.

You said that “some services do not respect the flag.” and I wanted to know, from the plurality of services, if these two will work. I think I was not too clear. Sorry!

From your answer, I understand that is YES!
Thank you!
Gabriel