Thanks for valuable information.
On Wednesday, 1 September 2010 08:44:33 Meghanand Acharekar wrote:Have you enabled and configured the ppolicy overlay for OpenLDAP ? If you are
> Hello,
>
> I have configured openldap server on RHEL 5.4
> I also want to enforce strong password policies for my ldap users.
only enforcing LDAP passwords via PAM, changing passwords via another
mechanism will bypass these controls. So, you should consider using ppolicy
instead ...
Have you tested password changes with the ldappasswd tool ?
You probably don't want this configuration ... root on an individual "generic"
> for which i configured pam module on each ldap client in following way.
>
> (/etc/pam.d/system-auth)
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_tally.so onerr=fail deny=5 unlock_time=300
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1
> ucredit=-1 ocredit=-1 lcredit=0 minlen=8 \
> reject_username
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok remember=5
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
> session optional pam_mkhomedir.so skel=/etc/skel umask=0066
>
> I am having following problems with my configuration.
>
> 1. Although configured password history (pam_unix.so remember =5) is not
> working for ldap users, while other password policies
> (pam_cracklib,pam_tally) are working fine.
> 2. I also observed that I can't change/set any users password as root user
> (using passwd username).
server should not be able to change passwords of all users in LDAP.
Use ldappasswd (please see the man page regarding options you need to provide
to make it work) or another LDAP-based tool (smbldap-passwd etc. or a web-
based interface) to change/reset user's passwords.
> Following is my ldap client configuration file (ldap.conf).If you want to implement any password quality checks on the LDAP side, you
>
> base dc=mycomp,dc=com
> bind_timelimit 120
> idle_timelimit 3600
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
> ,gdm pam_check_host_attr
> pam_password md5
need to use:
pam_password exop
instead. If you use 'pam_password md5', the LDAP server will only ever see the
hash, so will not be able to test password length etc. If you only want
password quality checks on the clients, your configuration will work, but users
may be able to bypass your quality checks by using ldappasswd (or any LDAP
client).
Fine, but pam_unix should fail, and after that 'passwd' should be trying via
> ssl no
> timelimit 120
> tls_cacertdir /etc/openldap/cacerts
> uri ldap://10.0.119.36
>
> For further troubleshooting I observer my /var/log/secure file while
> changing ldap user's passwod.
>
> passwd: pam_unix(passwd:chauthtok): user "username" does not exist in
> /etc/passwd
>
> but #getent passwd show me the username.
LDAP.
What do the logs on the LDAP server show? Can you show the prompts you get
from running 'passwd' ? You should be prompted for the LDAP password before
being prompted for the new password:
[bgmilne@xymon ~]$ passwd
Changing password for user bgmilne.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information changed for bgmilne
passwd: all authentication tokens updated successfully.
[bgmilne@xymon ~]$
Regards,
Buchan