On Friday, 3 September 2010 13:15:21 Dannie Obbink wrote:
-------- Forwarded Message --------
From: Obbink, D. (Dannie) dannie.obbink@vtspn.nl To: openldap-technical@openldap.org Subject: PAM not warning for password expiration Date: Thu, 22 Jul 2010 19:29:36 +0200
When users with an expired account try to log on to an application making a bind using the user's own credentials, everything works as expected; users cannot login, access gets denied. In the slapd logging, the following message is displayed:
Jul 21 14:06:25 slapd2.4[27182]: ppolicy_bind: Entry uid=<user> has an expired password: 0 grace logins
But when trying to log into PAM (ssh, su etc.), there is no warning displayed the account is expired. The user is also allowed to login normally.
I've been Googling for a couple of days now, and can't really find the culprit.
I was especially interested in this thread: http://www.openldap.org/lists/openldap-technical/201003/msg00197.html
So, I've set pwdExpireWarning to 1 second less then pwdMaxAge.
When I try to bind directly, such as with an ldapsearch, the logging shows
Jul 22 15:31:56 slapd2.4[27182]: ppolicy_bind: Setting warning for password expiry for uid=<user> = 4318121 seconds
So, that seems to be correct. But, when logging in via PAM, the log does not display the "setting warning".
<SNIP>
Thanks you for any responses, Dannie Obbink
Hello list,
Well, I finally found a workaround which "works for me"; use SSSD (found in the EPEL repos for Redhat / Centos / Fedora and standard for RHEL6).
SSSD, unlike pam_ldap, IS nice enough to warn me for impending password expiry.
I found multiple bugs about this (really helps if you know what to search) such as https://bugzilla.redhat.com/show_bug.cgi?id=190256 and http://bugs.centos.org/view.php?id=4468&nbn=5
I just wanted to share with you all that this definitely looks like a pam_ldap bug.
No bug in pam_ldap, probably just a problem with your 'account' lines in your pam stack. For me, on RHEL4 and RHEL5 and Mandriva etc., pam_ldap warns appropriately for impending password expiry, and forces password changes after the password has expired.
There have been a number of threads on this list, a few of which I have posted the solution.
Regards, Buchan