On Thu, Feb 21, 2008 at 11:52 AM, Bryan Payne bpayne@speedfc.com wrote:
If the account is locked, the user cannot login. If the password has expired, the user can login. I would like for it to prompt for the password but it fails to work for linux machines using pam or windows machines using pgina. I understand this is an openldap list so if you tell me the issue is client side (and pam related) regarding changing the password upon expiration, I'll take my question there. What about
Yes, this is pam_ldap related. You probably just need to configure it to use password policy in /etc/ldap.conf: pam_lookup_policy yes
Just note you need a recent version of pam_ldap for this to work properly.
If the client is not ppolicy aware, he will just get back a login failure. If, however, he *is* aware, meaning he sends the right control and interprets the answer correctly, he will be able to show the user the reason for the failure and, in the case of an expired password, or forced password change, even act accordingly.