[Date Prev][Date Next] [Chronological] [Thread] [Top]

PAM not warning for password expiration

Hello list,
First of all; sorry if this is on the wrong list, reaches the wrong people, has been asked 1000 times before, or is just a basic or stupid question. Yes, I have searched Google and the mailing list archives.
We (succesfully) implemented ppolicy on our 2.4.22 OpenLDAP server.
Password constraints are enforced correctly, but letting the accounts expiry correctly seems a bit tricky.
When users with an expired account try to log on to an application making a bind using the user's own credentials, everything works as expected; users cannot login, access gets denied. In the slapd logging, the following message is displayed:
Jul 21 14:06:25 slapd2.4[27182]: ppolicy_bind: Entry uid=<user> has an expired password: 0 grace logins

But when trying to log into PAM (ssh, su etc.), there is no warning displayed the account is expired. The user is also allowed to login normally.
I've been Googling for a couple of days now, and can't really find the culprit.
I was especially interested in this thread:
So, I've set pwdExpireWarning to 1 second less then pwdMaxAge.
When I try to bind directly, such as with an ldapsearch, the logging shows
Jul 22 15:31:56 slapd2.4[27182]: ppolicy_bind: Setting warning for password expiry for uid=<user> = 4318121 seconds
So, that seems to be correct.
But, when logging in via PAM, the log does not display the "setting warning".
ldap.conf on the clients read:
binddn cn=<binddn>
base <base>
uri ldaps://<master1> ldaps://<master2>
ssl yes
bind_timelimit 2
tls_checkpeer yes
tls_ciphers TLSv1
tls_cacertdir /etc/ssl/openldap2.4
pam_password crypt
pam_check_host_attr yes
pam_lookup_policy yes 
I think this is caused by PAM using the bindDN and then *querying* the user. So the server does not set a password expiry warning. But as I understood, "pam_lookup_policy" should ensure PAM trying to query for an expiry date.
How can I configure PAM to display the "Your password will expire in ... days"?
auth        required      /lib/security/$ISA/pam_tally2.so audit
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore service_err=ignore] /lib/security/$ISA/pam_ldap.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore] /lib/security/$ISA/pam_krb5.so
account     required      /lib/security/$ISA/pam_permit.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so 
sshd_config shows "UsePAM yes"
Again, sorry if this is not a question for this list.
Thanks you for any responses,
Dannie Obbink
De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming kregen dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht en een verschoningsrecht.