-------- Forwarded Message --------
From: Obbink, D. (Dannie) dannie.obbink@vtspn.nl To: openldap-technical@openldap.org Subject: PAM not warning for password expiration Date: Thu, 22 Jul 2010 19:29:36 +0200
When users with an expired account try to log on to an application making a bind using the user's own credentials, everything works as expected; users cannot login, access gets denied. In the slapd logging, the following message is displayed:
Jul 21 14:06:25 slapd2.4[27182]: ppolicy_bind: Entry uid=<user> has an expired password: 0 grace logins
But when trying to log into PAM (ssh, su etc.), there is no warning displayed the account is expired. The user is also allowed to login normally.
I've been Googling for a couple of days now, and can't really find the culprit.
I was especially interested in this thread: http://www.openldap.org/lists/openldap-technical/201003/msg00197.html
So, I've set pwdExpireWarning to 1 second less then pwdMaxAge.
When I try to bind directly, such as with an ldapsearch, the logging shows
Jul 22 15:31:56 slapd2.4[27182]: ppolicy_bind: Setting warning for password expiry for uid=<user> = 4318121 seconds
So, that seems to be correct. But, when logging in via PAM, the log does not display the "setting warning".
<SNIP>
Thanks you for any responses, Dannie Obbink
Hello list,
Well, I finally found a workaround which "works for me"; use SSSD (found in the EPEL repos for Redhat / Centos / Fedora and standard for RHEL6).
SSSD, unlike pam_ldap, IS nice enough to warn me for impending password expiry.
I found multiple bugs about this (really helps if you know what to search) such as https://bugzilla.redhat.com/show_bug.cgi?id=190256 and http://bugs.centos.org/view.php?id=4468&nbn=5
I just wanted to share with you all that this definitely looks like a pam_ldap bug.
Sincerely, Dannie Obbink
-------------------------Disclaimer------------------------------- De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming kregen dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht en een verschoningsrecht. -------------------------------------------------------------------