[Date Prev][Date Next]
Re: pwdMustChange and pwdExpireWarning
On Monday, 16 August 2010 23:02:41 Wei Gao wrote:
> Hello Buchan
> I set pwdReset manually and it worked. Thank you.
> For my issue regarding pwdExpireWarning not displaying warning message when
> I ssh into my systems, I still can't figure out what I did wrong. Here is
> my default policy:
> dn: cn=default,ou=Policies,dc=example,dc=company
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> cn: default
> pwdAllowUserChange: TRUE
> pwdAttribute: userPassword
> pwdCheckQuality: 2
> pwdExpireWarning: 1209600
> pwdFailureCountInterval: 0
> pwdGraceAuthNLimit: 0
> pwdInHistory: 24
> pwdLockout: TRUE
> pwdLockoutDuration: 0
> pwdMaxAge: 5184000
> pwdMaxFailure: 3
> pwdMinLength: 12
> pwdMustChange: TRUE
> pwdSafeModify: FALSE
So, test your policy with ldapwhoami (with appropriate options, see man page),
with -e ppolicy option to display ppolicy controls in the response.
> pwdMaxAge works perfectly and so does every other attribute, except
> pwdExpireWarning. pwdExpireWarning is the only one I am having issues
> now. Not sure what I did wrong. Do you need to know any other details?
If ldapwhoami with -e ppolicy works correctly, your problem is your PAM stack.
This will not be the only pam_ldap feature (host-based authorization with
pam_check_host_attr will not be adhered to) that doesn't work due to incorrect
PAM authorization settings. See my previous reply:
You need to supply your PAM configuration if anyone is to assist you further.
> > > expire in 12 days, how come I don't see a warning message when I ssh to
> > my
> > > system?
> > Misconfigured PAM stack probably (authorization, IOW account lines).
> > There have
> > been previous solutions in previous threads on this topic, and without
> > any details of your system it isn't possible to assist further.