[Date Prev][Date Next] [Chronological] [Thread] [Top]

[Fwd: PAM not warning for password expiration]

To: openldap-technical@openldap.org
Subject: [Fwd: PAM not warning for password expiration]
From: Dannie Obbink <dannie.obbink@vtspn.nl>
Date: Fri, 03 Sep 2010 14:15:21 +0200

-------- Forwarded Message --------
> From: Obbink, D. (Dannie) <dannie.obbink@vtspn.nl>
> To: openldap-technical@openldap.org
> Subject: PAM not warning for password expiration
> Date: Thu, 22 Jul 2010 19:29:36 +0200
> 
> When users with an expired account try to log on to an application
> making a bind using the user's own credentials, everything works as
> expected; users cannot login, access gets denied. In the slapd
> logging, the following message is displayed:
>  
> Jul 21 14:06:25 slapd2.4[27182]: ppolicy_bind: Entry uid=<user> has an
> expired password: 0 grace logins 
> 
> But when trying to log into PAM (ssh, su etc.), there is no warning
> displayed the account is expired. The user is also allowed to login
> normally.
>  
> I've been Googling for a couple of days now, and can't really find the
> culprit.
>  
> I was especially interested in this thread:
> http://www.openldap.org/lists/openldap-technical/201003/msg00197.html
>  
> So, I've set pwdExpireWarning to 1 second less then pwdMaxAge.
>  
> When I try to bind directly, such as with an ldapsearch, the logging
> shows
>  
> Jul 22 15:31:56 slapd2.4[27182]: ppolicy_bind: Setting warning for
> password expiry for uid=<user> = 4318121 seconds 
> 
> So, that seems to be correct.
> But, when logging in via PAM, the log does not display the "setting
> warning".
>  
> <SNIP>

> Thanks you for any responses,
> Dannie Obbink

Hello list,

Well, I finally found a workaround which "works for me"; use SSSD (found
in the EPEL repos for Redhat / Centos / Fedora and standard for RHEL6).

SSSD, unlike pam_ldap, IS nice enough to warn me for impending password
expiry.

I found multiple bugs about this (really helps if you know what to
search) such as https://bugzilla.redhat.com/show_bug.cgi?id=190256 and
http://bugs.centos.org/view.php?id=4468&nbn=5

I just wanted to share with you all that this definitely looks like a
pam_ldap bug.

Sincerely,
Dannie Obbink


-------------------------Disclaimer-------------------------------
De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming kregen dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht en een verschoningsrecht.
-------------------------------------------------------------------

Follow-Ups:
- Re: [Fwd: PAM not warning for password expiration]
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: Replicating from a mirrormode pair to a read-only server
Next by Date: Re: Replicating from a mirrormode pair to a read-only server
Index(es):
- Chronological
- Thread