[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ppolicy issues

On Thu, Feb 21, 2008 at 11:52 AM, Bryan Payne <bpayne@speedfc.com> wrote:
> If the account is locked, the user cannot login. If the password has
>  expired, the user can login. I would like for it to prompt for the
>  password but it fails to work for linux machines using pam or windows
>  machines using pgina. I understand this is an openldap list so if you
>  tell me the issue is client side (and pam related) regarding changing
>  the password upon expiration, I'll take my question there. What about

Yes, this is pam_ldap related. You probably just need to configure it
to use password policy in /etc/ldap.conf:
pam_lookup_policy yes

Just note you need a recent version of pam_ldap for this to work properly.

If the client is not ppolicy aware, he will just get back a login
failure. If, however, he *is* aware, meaning he sends the right
control and interprets the answer correctly, he will be able to show
the user the reason for the failure and, in the case of an expired
password, or forced password change, even act accordingly.