On Thu, Feb 21, 2008 at 11:52 AM, Bryan Payne <bpayne@speedfc.com> wrote:
If the account is locked, the user cannot login. If the password has
expired, the user can login. I would like for it to prompt for the
password but it fails to work for linux machines using pam or windows
machines using pgina. I understand this is an openldap list so if you
tell me the issue is client side (and pam related) regarding changing
the password upon expiration, I'll take my question there. What about
Yes, this is pam_ldap related. You probably just need to configure it to use password policy in /etc/ldap.conf: pam_lookup_policy yes
Just note you need a recent version of pam_ldap for this to work properly.
If the client is not ppolicy aware, he will just get back a login
failure. If, however, he *is* aware, meaning he sends the right
control and interprets the answer correctly, he will be able to show
the user the reason for the failure and, in the case of an expired
password, or forced password change, even act accordingly.