[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: intent of pwdGraceAuthNLimit when using ppolicy overlay

On Wednesday, 30 June 2010 20:15:50 Licause, Al wrote:
> I have been attempting to use the ppolicy overlay on an openldap server
>  running on a Red Hat V5.4 platform with the following components:
> openldap-servers-2.3.43-3.el5
> checkpassword-ldap-0.01-1.2.el5.rf
> mozldap-6.0.5-1.el5
> openldap-2.3.43-3.el5
> openldap-debuginfo-2.3.43-3.el5
> nss_ldap-253-22.el5_4
> openldap-clients-2.3.43-3.el5
> openldap-servers-overlays-2.3.43-3.el5
> I was unable to get the users password to expire by simply setting  a value
>  for pwdMaxAge without the use of the pwdReset parameter.
> I finally turned on all debugging in the slapd.conf file (value -1) and
>  noticed that the value of pwdGraceAuthNLimit in the default policy,  was
>  set to 3, which allowed the ldap user access without changing the
>  password.

Of course, after the grace authentications, binds would fail.

> The disturbing thing about this was the fact that the user is not notifed
>  that their password has expired.   I would have thought that if the intent
>  was to allow an expired password, then the user should be notified of not
>  only the fact that their password has expired but how many more grace
>  logins they would be allowed before either having to change the password
>  or having the account disabled.

This is most likely as result of PAM misconfiguration. You didn't specify how 
you were testing.

However, with almost identical software, my environment works correctly.

Please include your full client-side configuration when posting to openldap-
technical (e.g. all PAM files included by the service with which you were 

Note that the openldap-bugs list is for tracking bugs logged on the ITS bug 
tracker. Questions should be posted to the openldap-technical list.