Questions on ppolicy (SLES11)

["Ulrich Windl" <Ulrich.Windl@rz.uni-regensburg.de>]

Hello!

I started to configure ppolicy in SLES11 SP3, and I think I succeeded with the LDAP part. However I did not understand how to integrate ppolicy to the OS, specifically:

I created one test user with a ppolicy, and expectation is that on first login the passowrd should be canged (minus grace logins). According to the syslog ppolicy triggers an expired password:

slapd[3990]: ppolicy_bind: Setting warning for password expiry for uid=windl2,ou=domain,dc=org = 0 seconds

However the user when logging in gets no type of message at all. It also seems that nothing is changed in the LDAP database when this message occurs. So what is actually "set" there?

When the user actually changes the password, I see the following attributes changed in LDAP:
userPassword, pwdHistory, shadowLastChange

What's not quite clear is when using SSHA-hashed passwords, what changes can be done regarding pwdCheckQuality. I can imagine that some checks will work if the client uses the extended operation to change the password, but not if the password is changed by an ordinary LDAP modify request. Is that correct?

Finally, maybe a stupid question: How does authentication against LDAP work? In the classical UNIX mechanism, the authenticating process would query the user name, then fetch the hashed password for that user, get the password from the user, hash it using the same salt, and then compare the results for a match. To my understanding you cannot get the hashed password from LDAP until authenticated, so that looks like a egg-hen paradoxon to me.

If anybody could enlighten me, I'd be glad.

Regards,
Ulrich