Hello,

I have configured openldap server on RHEL 5.4
I also want to enforce strong password policies for my ldap users.
for which i configured pam module on each ldap client in following way.

(/etc/pam.d/system-auth)
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_tally.so onerr=fail deny=5 unlock_time=300
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 \
                                reject_username 
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so
session     optional      pam_mkhomedir.so skel=/etc/skel umask=0066

I am having following problems with my configuration.

1. Although configured password history (pam_unix.so remember =5) is not working for ldap users, while other password policies (pam_cracklib,pam_tally) are working fine.
2. I also observed that I can't change/set any users password as root user (using passwd username).

Following is my ldap client configuration file (ldap.conf).

base dc=mycomp,dc=com
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
pam_check_host_attr
pam_password md5
ssl no
timelimit 120
tls_cacertdir /etc/openldap/cacerts
uri ldap://10.0.119.36

For further troubleshooting I observer my /var/log/secure file while changing ldap user's passwod.

passwd: pam_unix(passwd:chauthtok): user "username" does not exist in /etc/passwd

but #getent passwd show me the username.

Thanks in advance.

--
Regards,
Meghanand N. Acharekar
" A proud GNU\Linux User "
Reg Linux User  #397975
------------------------------------------
I was born free! No Gates and Windows can restrict my Freedom !!!