[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ppolicy and Red Hat Linux
I need help/advise on ppolicy against Linux servers.
I am running OpenLDAP 2.3.43-3.el5 (Red Hat rpm) on RHEL5. I am using the ppolicy overlay. The overlay seems to work to all of the tools, etc., that use this LDAP, except for the Linux servers. With these servers, we get no expiry warning, and users can log in after the password has expired (unlimited). We are using PAM/LDAP on these servers.
Debugging this issue has caused me a bit of confusion. In the LDAP logs, when logging into other equipment that 'binds as user', I see warnings, etc. returned:
ppolicy_bind: Setting warning for password expiry for uid=test_user,ou=people,o=theorg,dc=example,dc=net = 1251 secds
BUT, since the Linux LDAP client has a separate 'binddn', I don't see these warnings when the Linux LDAP client does the ldapsearch to validate the user. How does the policy work in this situation?
Am I missing something here?
Here's what I see when I log in as a users (second login, pwdGraceAuthNLimit=2):
login as: test_user
test_user@linux_box's password:
Last login: Fri Oct 23 19:39:03 2009 from 10.50.1.135
[test_user@linux_box ~]$
[test_user@linux_box ~]$ ldapwhoami -x -D "uid=test_user,ou=people,o=theorg,dc=example,dc=net" -W -e ppolicy
Enter LDAP Password:
ldap_bind: Success (0) (Password expired, 1 grace logins remain)
dn:uid=test_user,ou=people,o=theorg,dc=example,dc=net
Result: Success (0)
[test_user@linux_box ~]$
[test_user@linux_box ~]$exit
Then on the next login:
login as: test_user
test_user@linux_box's password:
Last login: Fri Oct 23 19:39:26 2009 from 10.50.1.135
[test_user@linux_box ~]$
[test_user@linux_box ~]$ ldapwhoami -x -D "uid=test_user,ou=people,o=theorg,dc=example,dc=net" -W -e ppolicy
Enter LDAP Password:
ldap_bind: Invalid credentials (49); Password expired
[test_user@linux_box ~]$
[test_user@linux_box ~]$exit
Yet again:
login as: test_user
test_user@linux_box's password:
Last login: Fri Oct 23 19:40:12 2009 from 10.50.1.135
[test_user@linux_box ~]$
[test_user@linux_box ~]$ ldapwhoami -x -D "uid=test_user,ou=people,o=theorg,dc=example,dc=net" -W -e ppolicy
Enter LDAP Password:
ldap_bind: Invalid credentials (49); Password expired
[test_user@linux_box ~]$
[test_user@linux_box ~]$
[test_user@linux_box ~]$
[test_user@linux_box ~]$ ldapsearch -x -D 'cn=ldapmanager,o=theorg,dc=example,dc=net' -b 'uid=test_user,ou=people,o=theorg,dc=example,dc=net' -w ldapspwd +
# extended LDIF
#
# LDAPv3
# base <uid=test_user,ou=people,o=theorg,dc=example,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: +
#
# test_user, people, theorg, example.net
dn: uid=test_user,ou=people,o=theorg,dc=example,dc=net
structuralObjectClass: person
entryUUID: d45aa296-a3e4-102d-8c8e-0b16af70e85f
creatorsName: cn=ldapmanager,o=theorg,dc=example,dc=net
createTimestamp: 20090313063503Z
pwdHistory: 20091023185344Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$RCW90SL
v$8PfQ99gzlJd.7TH2HnhOS0
pwdHistory: 20091023190836Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$RM6V/En
e$0oGsI47SUaIDFap9Nft3z1
pwdHistory: 20091023191529Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$18vC.s9
3$cT38cSrrF/PXMhWqV.P.r/
pwdPolicySubentry: cn=ppdefault_test,ou=policies,o=theorg,dc=example,
dc=net
pwdChangedTime: 20091023191529Z
pwdGraceUseTime: 20091023193816Z
pwdGraceUseTime: 20091023193905Z
entryCSN: 20091023193905Z#000000#00#000000
modifiersName: cn=ldapmanager,o=theorg,dc=example,dc=net
modifyTimestamp: 20091023193905Z
entryDN: uid=test_user,ou=people,o=theorg,dc=example,dc=net
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[test_user@linux_box ~]$
[test_user@linux_box ~]$ ldapsearch -x -D 'cn=ldapmanager,o=theorg,dc=example,dc=net' -b 'cn=ppdefault_test,ou=policies,o=theorg,dc=example,dc=net' -w ldapspwd
# extended LDIF
#
# LDAPv3
# base <cn=ppdefault_test,ou=policies,o=theorg,dc=example,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ppdefault_test, policies, theorg, example.net
dn: cn=ppdefault_test,ou=policies,o=theorg,dc=example,dc=net
cn: ppdefault_test
objectClass: person
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
pwdAttribute: userPassword
pwdLockout: TRUE
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdGraceAuthNLimit: 2
pwdCheckQuality: 1
pwdInHistory: 3
pwdLockoutDuration: 60
pwdMaxFailure: 5
pwdFailureCountInterval: 603
sn: ppdefault_test
pwdMaxAge: 120
pwdExpireWarning: 100
description: test
pwdMinAge: 1
pwdSafeModify: FALSE
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[test_user@linux_box ~]$
[test_user@linux_box ~]$ cat /etc/pam.d/passwd
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
[test_user@linux_box ~]$
[test_user@linux_box ~]$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 type=LDAP
password sufficient /lib/security/$ISA/pam_unix.so nullok md5 use_authtok shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
Any advise would be much appreciated (I swear this worked when I tested it last March).
Thanks,
Joe
_________________________________________________________________
Windows 7: Simplify your PC. Learn more.
http://www.microsoft.com/Windows/windows-7/default.aspx?ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_evergreen1:102009