Re: Check ppolicy

[Jordi Espasa Clofent <jespasac@minibofh.org>]

Buchan,

> Have you set 'pam_lookup_policy yes' in pam_ldap's ldap.conf?

Yes.

# cat /usr/local/etc/ldap.conf | grep pam_lookup
pam_lookup_policy yes

> Are you using pam_ldap in the "account" lines of your PAM configuration?

Yes (if you refer to sshd, which is the service that I use with PAM to 
make the request in LDAP cluster).

# cat /etc/pam.d/sshd | grep account
# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         sufficient      /usr/local/lib/pam_ldap.so
account         required        pam_unix.so

In 
http://www.nabble.com/Re:-Password-expiry-warning-message-from-ppolicy-td8071732.html 
, Prakash Velayutham says:

"Wanted to give a heads up. I have found a solution to this one and it
was not pam_ldap. It was the OpenSSH on my system. I was running OpenSSH
4.1p1 and looks like this issue was fixed in 4.3p2 and higher. I got the
latest 4.5p2 and things are working now. I will test some more and
report back again soon. "

Effectively, I use FreeBSD 7.0 which is shipped with OpenSSH 4.5p1; but 
I've upgrade teh OpenSSH to 5.2p1 and I cannot see the warning messages yet.

--
Thanks,
Jordi Espasa Clofent