[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ppolicy and Red Hat Linux

Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

> Joe Friedeggs schrieb:
>> Debugging this issue has caused me a bit of confusion. In the LDAP logs=
=2C when logging into other equipment that 'binds as user'=2C I see warning=
s=2C etc. returned:
>> ppolicy_bind: Setting warning for password expiry for uid=3Dtest_user=2C=
ou=3Dpeople=2Co=3Dtheorg=2Cdc=3Dexample=2Cdc=3Dnet =3D 1251 secds
>> BUT=2C since the Linux LDAP client has a separate 'binddn'=2C I don't se=
e these warnings when the Linux LDAP client does the ldapsearch to validate=
 the user. How does the policy work in this situation?
>> Am I missing something here?
> Hello=2C
> have a look at 'man pam_ldap':
>> pam_lookup_policy=20
>> Specifies whether to search the root DSE for password policy. The defaul=
t is "no".
> Did you set that to yes on your clients in /etc/ldap.conf or what ever
> it is called on RHEL5?
> Regards=2C
> Christian Manal

Thanks for the response=2C Christian.

Yes=2C I have the following in my LDAP clients' /etc/ldap.conf:

host ldap_svc
binddn cn=3DsimpleBind=2Co=3Dtheorg=2Cdc=3Dexample=2Cdc=3Dnet
bindpw simpleBind
bind_timelimit 3
base o=3Dtheorg=2Cdc=3Dexample=2Cdc=3Dnet
sudoers_base ou=3Dsudoers=2Co=3Dtheorg=2Cdc=3Dexample=2Cdc=3Dnet
timelimit 7
idle_timelimit 3600

nss_base_passwd=A0=A0=A0=A0=A0=A0=A0=A0 ou=3Dpeople=2Co=3Dtheorg=2Cdc=3Dexa=
nss_base_shadow=A0=A0=A0=A0=A0=A0=A0=A0 ou=3Dpeople=2Co=3Dtheorg=2Cdc=3Dexa=
nss_base_group=A0=A0=A0=A0=A0=A0=A0=A0=A0 ou=3Dgroups=2Co=3Dtheorg=2Cdc=3De=
nss_reconnect_tries 3
nss_initgroups_ignoreusers root=2Cldap=2Cnamed=2Chaldaemon=2Cradiusd=2Clinu=

pam_password md5
pam_groupdn cn=3Dlevel_3=2Cou=3Dhost_ssh_access=2Co=3Dtheorg=2Cdc=3Dexample=
pam_member_attribute uniqueMember
pam_lookup_policy yes

Windows 7: I wanted more reliable=2C now it's more reliable. Wow!