[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ppolicy issues

Unfortunately, I have that option enabled in my ldap.conf and I'm using pam_ldap 184. Not quite sure what the problem is. I suppose I'll write a script to handle this for now. Thanks for everyone's help. And if you have any other suggestions, they are much appreciated.

Andreas Hasenack wrote:
On Thu, Feb 21, 2008 at 11:52 AM, Bryan Payne <bpayne@speedfc.com> wrote:
If the account is locked, the user cannot login. If the password has
expired, the user can login. I would like for it to prompt for the
password but it fails to work for linux machines using pam or windows
machines using pgina. I understand this is an openldap list so if you
tell me the issue is client side (and pam related) regarding changing
the password upon expiration, I'll take my question there. What about

Yes, this is pam_ldap related. You probably just need to configure it to use password policy in /etc/ldap.conf: pam_lookup_policy yes

Just note you need a recent version of pam_ldap for this to work properly.

If the client is not ppolicy aware, he will just get back a login
failure. If, however, he *is* aware, meaning he sends the right
control and interprets the answer correctly, he will be able to show
the user the reason for the failure and, in the case of an expired
password, or forced password change, even act accordingly.