Re: pwdMustChange and pwdExpireWarning

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Monday, 16 August 2010 23:02:41 Wei Gao wrote:
> Hello Buchan
> 
> I set pwdReset manually and it worked.  Thank you.
> 
> For my issue regarding pwdExpireWarning not displaying warning message when
> I ssh into my systems, I still can't figure out what I did wrong.  Here is
> my default policy:
> 
> dn: cn=default,ou=Policies,dc=example,dc=company
> objectClass: top
> objectClass: device
> objectClass: pwdPolicy
> cn: default
> pwdAllowUserChange: TRUE
> pwdAttribute: userPassword
> pwdCheckQuality: 2
> pwdExpireWarning: 1209600
> pwdFailureCountInterval: 0
> pwdGraceAuthNLimit: 0
> pwdInHistory: 24
> pwdLockout: TRUE
> pwdLockoutDuration: 0
> pwdMaxAge: 5184000
> pwdMaxFailure: 3
> pwdMinLength: 12
> pwdMustChange: TRUE
> pwdSafeModify: FALSE


So, test your policy with ldapwhoami (with appropriate options, see man page), 
with -e ppolicy option to display ppolicy controls in the response.

> pwdMaxAge works perfectly and so does every other attribute, except
> pwdExpireWarning.  pwdExpireWarning is the only one I am having issues
> now.  Not sure what I did wrong.  Do you need to know any other details?

If ldapwhoami with -e ppolicy works correctly, your problem is your PAM stack. 
This will not be the only pam_ldap feature (host-based authorization with 
pam_check_host_attr will not be adhered to) that doesn't work due to incorrect 
PAM authorization settings. See my previous reply:

You need to supply your PAM configuration if anyone is to assist you further.

> > > expire in 12 days, how come I don't see a warning message when I ssh to
> > 
> > my
> > 
> > > system?
> > 
> > Misconfigured PAM stack probably (authorization, IOW account lines).
> > There have
> > been previous solutions in previous threads on this topic, and without
> > any details of your system it isn't possible to assist further.


Regards,
Buchan