Dear openldap experts,
the company I work for recently migrated to Ubuntu 22.04, and we use openldap with password policies and password expiry (once per year), with no changes to OpenLDAP config.
However, we also use a scientific linux 6 (SL6, ~RH6) compile machine for backwards compatibility purposes (also using OpenLDAP).
Now what happens is:
- user ldaptestuser1's password expires
- she/he changes her/his password on Ubuntu (problem 1: no PP checking, maybe due to cache_credentials = yes in /etc/sssd/sssd.conf)
- SL6 (host X) does not know about that (problem 2: pwd checking on SL6 _always_ yields a Constraint violation, so user ldaptestuser1 cannot login there):
ldaptestuser1@X's password: You are required to change your password immediately (password aged) You are required to change your LDAP password immediately. Last login: DATE from Y WARNING: Your password has expired. You must change your password now and login again! Changing password for user ldaptestuser1. Enter login(LDAP) password: New password: Retype new password: LDAP password information update failed: Constraint violation Password fails quality checking policy passwd: Authentication token manipulation error Connection to X closed.
I cannot see any relevant error in the server (sys)log (with stats logging). Which log level shall I enable?
- is there a workaround / fix for problem 1?
- Regarding problem 2: shall I disable password expiry (shadow extension)?
Many Thanks and Best Regards! -- Felix Natter