[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring ppolicy problem

To: openldap-technical@openldap.org
Subject: Re: Configuring ppolicy problem
From: Guillaume Rousse <guillomovitch@gmail.com>
Date: Sat, 01 Sep 2012 12:56:05 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=djs0vUxMYiJ+t8jU3ihVBb5r7o1xysoI2tRpdmlY/J8=; b=IptlnXEqaQmR3xPL0FCvEOVQS0+m0r1jHV9MuV0ax0XEUaFKqFcvWwKkkos09dytKT 3GzGD8EKrTjMm1RBM0EkQexwAHmgTaSrzMlY+Nxs/sAaYpVBZowb/rrHFX/CsDLr5ipZ bISKHrZ4fQXnX1TubEWOCpxIJIm6ZZ6zvUaSuOCQslHec5uT9U8uoe8LIcLgog9/5oxc tVvciY0hHiJSpMUGpfpJ2Ixd7dvfGEzlXmrJsyH1yJjt7WpAteW9gk6nOj24938PBRDr z0ZGUQH7efJy7MCiNFe/l9Tu8JQQxlGSsKxkHJ4LDR7052iTbEcJCRFfx8OT2Tw4no1Z Q/LA==
In-reply-to: <504112D8.90905@gmail.com>
References: <503BE6E7.4000809@gmail.com> <AEC8A374AE8AA74E85723C695791A2D090F0F57D52@CARNELIAN.ad.northcentral.edu> <503E3798.5000301@gmail.com> <503E5C1C.4010202@gmail.com> <503E64D4.9020402@gmail.com> <503E82BB.1090601@gmail.com> <504112D8.90905@gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120829 Thunderbird/15.0

Le 31/08/2012 21:39, cbulist a écrit :

Guillaume,

I did a test with your suggestion and now It is working when I change
the pwdMaxAge to some short time as 15 seconds but I don't receive any
message invite me to change the password or any warning message for
expiration time.
I see the follow message in debug mode:

uid=user1,ou=People,dc=sample,dc=com  has an expired password

I set the attributes in default Policies:

pwsGraceAuthNLimit: 2
pwdAllowUserChange: TRUE
pwdExpireWarning: 10
pwdLockout: TRUE
pwdMaxAge: 15
pwdMustChange: TRUE

In my ldap client I have set:
pam_lookup_policy yes

Do I have to change something in PAM?

No idea exactly.

You'd better test directly with basic ldap clients, such asldapsearch/ldappasswd to understand how password policy works. And debugyour pam issues in a second step. BTW, pam_ldap has dedicated mailinglist that may give better answer than this one.

Also, if you're only interested in password expiration for your unixuser account, you don't need server-side support (ppolicy), thehistorical shadow system should be enough (and probably simpler).



--
BOFH excuse #118:

the router thinks its a printer.

Prev by Date: Re: Performance of MDB and BDB Please suggest?
Next by Date: Need help on ACL
Index(es):
- Chronological
- Thread