21 Nov 2014, 15:43

go and ldap password policies

In the last days, I started working on an oauth2 and openid connect server (thanks to osin).

As the project is starting as a corporate Single Sign On based on an ldap, the users needs to know when their password is expiring and be able to change it during the login phase.

So some ldap client features were needed:

  • Password policies (fedora 389 and other netscape derivatives are using this draft rfc while openldap ppolicy overlay uses this other draft rfc
  • Password Modify Extended operation (rfc 3062)
  • StartTLS

I noticed that there were a lot of go ldap clients forks. As none that I found was implementing these features (or StartTLS was broken) I choosed the one that was recently updated and more organized (it’s a github organization and uses the gopkg.in service) and developed some patches top of it. The maintainer (thanks John Weldon was very responsive and accepted my patches.

In the meantime, I also fixed some other bugs…

You can find some examples of these new ldap client features in the examples directory: