[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ppolicy issues

Bryan Payne skrev, on 21-02-2008 15:52:

If the account is locked, the user cannot login. If the password has expired, the user can login.

Not at my site.

I would like for it to prompt for the password but it fails to work for linux machines using pam or windows machines using pgina.

How are your users logging in - at a CLI login, gdm, su, ssh? On all of these at my site the user gets prompted for his password. This *is* a pam matter.

I understand this is an openldap list so if you tell me the issue is client side (and pam related) regarding changing the password upon expiration, I'll take my question there.

Have a look at (haven't forgotten you're using CentOS4) /etc/pam.d/system-auth, if in doubt about what the different libraries do, read the html docs. Pam login and password change sub-*mechanism*s can also defined in /etc/ldap.conf. Bits of what you're finding are pam related, bits are OL ppolicy.

What happens if you comment out all the ppolicy-related stuff in slapd.conf? Are your users still not getting prompted for a password?

What about notification of expiration? As it is right now, the user is never shown if their password is expiring soon. It sends it to a log on the ldap server, but nothing pops up on the client machine. Is this pam related too?

No, purely OL ppolicy, works well at my site.




Buchan Milne wrote:
On Wednesday 20 February 2008 17:10:00 Bryan Payne wrote:
Thank you for your help. I added the pwdPolicySubentry to a user to no
avail. I did find this in the logfile though:

Feb 20 09:01:13 ldapserver slapd[6709]: conn=95289 op=4 SEARCH RESULT
tag=101 err=50 nentries=0 text=Operations are restricted to
bind/unbind/abandon/StartTLS/modify password

So it looks like it's trying to do something but cannot. While I'm
concerned about password strength, I'm more concerned (at this point)
with just having the machine prompt for a password change.

Well, what do you mean by "the machine" ? It looks like the password has expired, but if you're expecting a prompt for a password change, that's a client side issue. So, what is the client in this case? Recent versions of pam_ldap support ppolicy (IIRC including the one shipped with RHEL4), but you didn't say which client this is.

Also, you said accounts get locked, but users can still log in? This sounds like you might not actually be using pam_ldap for authentication, but the pam_unix->nss_ldap (NIS replacement and nothing more) method, which won't see anything relating to ppolicy.


Tony Earnshaw
Email: tonni at hetnet dot nl