Hello,
I have configured openldap server on RHEL 5.4 I also want to enforce strong password policies for my ldap users. for which i configured pam module on each ldap client in following way.
(/etc/pam.d/system-auth) #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_tally.so onerr=fail deny=5 unlock_time=300 auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 \ reject_username password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5 password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session optional pam_mkhomedir.so skel=/etc/skel umask=0066
I am having following problems with my configuration.
1. Although configured password history (pam_unix.so remember =5) is not working for ldap users, while other password policies (pam_cracklib,pam_tally) are working fine. 2. I also observed that I can't change/set any users password as root user (using passwd username).
Following is my ldap client configuration file (ldap.conf).
base dc=mycomp,dc=com bind_timelimit 120 idle_timelimit 3600 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm pam_check_host_attr pam_password md5 ssl no timelimit 120 tls_cacertdir /etc/openldap/cacerts uri ldap://10.0.119.36
For further troubleshooting I observer my /var/log/secure file while changing ldap user's passwod.
passwd: pam_unix(passwd:chauthtok): user "username" does not exist in /etc/passwd
but #getent passwd show me the username.
Thanks in advance.