[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy and Red Hat Linux

To: Joe Friedeggs <friedeggs44@hotmail.com>
Subject: Re: ppolicy and Red Hat Linux
From: Christian Manal <moenoel@informatik.uni-bremen.de>
Date: Sat, 24 Oct 2009 11:44:35 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <BLU143-W19B6347B53E22F0ADFBA72A5BD0@phx.gbl>
References: <BLU143-W19B6347B53E22F0ADFBA72A5BD0@phx.gbl>
User-agent: Thunderbird 2.0.0.23 (Windows/20090812)

Joe Friedeggs schrieb:
> Debugging this issue has caused me a bit of confusion.  In the LDAP logs, when logging into other equipment that 'binds as user', I see warnings, etc. returned:
> 
>    ppolicy_bind: Setting warning for password expiry for uid=test_user,ou=people,o=theorg,dc=example,dc=net = 1251 secds
> 
> BUT, since the Linux LDAP client has a separate 'binddn', I don't see these warnings when the Linux LDAP client does the ldapsearch to validate the user.  How does the policy work in this situation?
> 
> Am I missing something here?
> 

Hello,

have a look at 'man pam_ldap':

<snip>
>        pam_lookup_policy <yes|no>
>               Specifies whether to search the root DSE for password policy. The default is "no".
<snap>

Did you set that to yes on your clients in /etc/ldap.conf or what ever
it is called on RHEL5?


Regards,
Christian Manal

Follow-Ups:
- RE: ppolicy and Red Hat Linux
  - From: Joe Friedeggs <friedeggs44@hotmail.com>

References:
- ppolicy and Red Hat Linux
  - From: Joe Friedeggs <friedeggs44@hotmail.com>

Prev by Date: Re: Using Arbitrary X509 certificates for LDAPS authentication
Next by Date: RE: ppolicy and Red Hat Linux
Index(es):
- Chronological
- Thread