Password history configuration for ldap users.

[Meghanand Acharekar <vasco.debian@gmail.com>]

Hello,

I have configured openldap server on RHEL 5.4

I also want to enforce strong password policies for my ldap users.

for which i configured pam module on each ldap client in following way.

(/etc/pam.d/system-auth)

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_tally.so deny=5 unlock_time=300

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_ldap.so use_first_pass

auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 \

                                reject_username 

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5

password    sufficient    pam_ldap.so use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_ldap.so

session     optional      pam_mkhomedir.so skel=/etc/skel umask=0066

I am having following problems with my configuration.

1. Although configured password history (pam_unix.so remember =5) is not working for ldap users, while other password policies (pam_cracklib,pam_tally) are working fine.

2. I also observed that I can't change/set any users password as root user (using passwd username).

Following is my ldap client configuration file (ldap.conf).

base dc=mycomp,dc=com

bind_timelimit 120

idle_timelimit 3600

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm

pam_check_host_attr

pam_password md5

ssl no

timelimit 120

tls_cacertdir /etc/openldap/cacerts

uri ldap://10.0.119.36

For further troubleshooting I observer my /var/log/secure file while changing ldap user's passwod.

passwd: pam_unix(passwd:chauthtok): user "username" does not exist in /etc/passwd

but #getent passwd show me the username.

Thanks in advance.

--
Regards,
Meghanand N. Acharekar
" A proud GNU\Linux User "
Reg Linux User  #397975
------------------------------------------
I was born free! No Gates and Windows can restrict my Freedom !!!