Re: Re: pwdMustChange and pwdExpireWarning

[weigao88@gmail.com]

Hello Buchan

I am running the rpm package openldap server 2.3 that comes with CentOS 5.4 and my ldap client is CentOS 4.  Looks like there is no ldapwhoami -e ppolicy option on CentOS4 client, as you can see below.  I also copy and paste the client's /etc/pam.d/system-auth below.    


[user1@ldapclient ~]$ ldapwhoami -e ppolicy
Invalid general control name: ppolicy
Issue LDAP Who am I? operation to request user's authzid

usage: ldapwhoami [options]
Common options:
  -d level   set LDAP debugging level to `level'
  -D binddn  bind DN
  -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
             [!]assert=<filter>     (an RFC 2254 Filter)
             [!]authzid=<authzid>   ("dn:<dn>" or "u:<user>")
             [!]manageDSAit
             [!]noop
             [!]postread[=<attrs>]  (a comma-separated attribute list)
             [!]preread[=<attrs>]   (a comma-separated attribute list)
  -h host    LDAP server
  -H URI     LDAP Uniform Resource Indentifier(s)
  -I         use SASL Interactive mode
  -n         show what would be done but don't actually do it
  -O props   SASL security properties
  -o <opt>[=<optparam>] general options
  -p port    port on LDAP server
  -Q         use SASL Quiet mode
  -R realm   SASL realm
  -U authcid SASL authentication identity
  -v         run in verbose mode (diagnostics to standard output)
  -V         print version info (-VV only)
  -w passwd  bind password (for simple authentication)
  -W         prompt for bind password
  -x         Simple authentication
  -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
  -y file    Read password from file
  -Y mech    SASL mechanism
  -Z         Start TLS request (-ZZ to require successful response)



[user1@ldapclient ~]$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

#password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so


Do you see anything configured wrong in my /etc/pam.d/system-auth?  Thanks so much for your help with this issue.

Regards
Wei



On Aug 17, 2010 4:43am, Buchan Milne <bgmilne@staff.telkomsa.net> wrote:
> On Monday, 16 August 2010 23:02:41 Wei Gao wrote:
> 
> 
> > Hello Buchan
> 
> 
> >
> 
> 
> > I set pwdReset manually and it worked.  Thank you.
> 
> 
> >
> 
> 
> > For my issue regarding pwdExpireWarning not displaying warning message when
> 
> 
> > I ssh into my systems, I still can't figure out what I did wrong.  Here is
> 
> 
> > my default policy:
> 
> 
> >
> 
> 
> > dn: cn=default,ou=Policies,dc=example,dc=company
> 
> 
> > objectClass: top
> 
> 
> > objectClass: device
> 
> 
> > objectClass: pwdPolicy
> 
> 
> > cn: default
> 
> 
> > pwdAllowUserChange: TRUE
> 
> 
> > pwdAttribute: userPassword
> 
> 
> > pwdCheckQuality: 2
> 
> 
> > pwdExpireWarning: 1209600
> 
> 
> > pwdFailureCountInterval: 0
> 
> 
> > pwdGraceAuthNLimit: 0
> 
> 
> > pwdInHistory: 24
> 
> 
> > pwdLockout: TRUE
> 
> 
> > pwdLockoutDuration: 0
> 
> 
> > pwdMaxAge: 5184000
> 
> 
> > pwdMaxFailure: 3
> 
> 
> > pwdMinLength: 12
> 
> 
> > pwdMustChange: TRUE
> 
> 
> > pwdSafeModify: FALSE
> 
> 
> 
> 
> 
> 
> 
> 
> So, test your policy with ldapwhoami (with appropriate options, see man page),
> 
> 
> with -e ppolicy option to display ppolicy controls in the response.
> 
> 
> 
> 
> 
> > pwdMaxAge works perfectly and so does every other attribute, except
> 
> 
> > pwdExpireWarning.  pwdExpireWarning is the only one I am having issues
> 
> 
> > now.  Not sure what I did wrong.  Do you need to know any other details?
> 
> 
> 
> 
> 
> If ldapwhoami with -e ppolicy works correctly, your problem is your PAM stack.
> 
> 
> This will not be the only pam_ldap feature (host-based authorization with
> 
> 
> pam_check_host_attr will not be adhered to) that doesn't work due to incorrect
> 
> 
> PAM authorization settings. See my previous reply:
> 
> 
> 
> 
> 
> You need to supply your PAM configuration if anyone is to assist you further.
> 
> 
> 
> 
> 
> > > > expire in 12 days, how come I don't see a warning message when I ssh to
> 
> 
> > >
> 
> 
> > > my
> 
> 
> > >
> 
> 
> > > > system?
> 
> 
> > >
> 
> 
> > > Misconfigured PAM stack probably (authorization, IOW account lines).
> 
> 
> > > There have
> 
> 
> > > been previous solutions in previous threads on this topic, and without
> 
> 
> > > any details of your system it isn't possible to assist further.
> 
> 
> 
> 
> 
> 
> 
> 
> Regards,
> 
> 
> Buchan
> 
> 
>