Here is my defined ppolicy. I have defined in my /etc/ldap.conf pam_password exop. Password history and check_password was working when I had pam_password md5. I wonder if it has something to do with the way the password is being hashed.
dn: cn=default,ou=policies,dc=turbocorp,dc=com cn: default sn: surname objectClass: pwdPolicy objectClass: person objectClass: top objectClass: pwdPolicyChecker pwdAttribute: userPassword pwdInHistory: 3 pwdMinLength: 8 pwdMaxFailure: 5 pwdLockout: TRUE pwdLockoutDuration: 300 pwdAllowUserChange: TRUE pwdSafeModify: FALSE pwdMinAge: 0 pwdExpireWarning: 1209600 pwdCheckModule: /usr/local/libexec/openldap/check_password.so pwdGraceAuthNLimit: 3 pwdFailureCountInterval: 86400 pwdCheckQuality: 2 pwdMustChange: TRUE pwdMaxAge: 172800
John Allgood Senior Systems Administrator OHL Transportation Services 2251 Jesse Jewell Pky. NE Gainesville, GA 30507 tel: (678) 989-3051 fax: (770) 531-7878
jallgood@ohl.commailto:jallgood@ohl.com www.ohl.comhttp://www.ohl.com
From: Adam Leach [mailto:adam.m.leach@gmail.com] Sent: Thursday, June 24, 2010 11:24 AM To: Allgood, John Cc: SATOH Fumiyasu; openldap-technical@openldap.org Subject: Re: openldap pwdReset
It would help if you would attach the ppolicy that this entry uses in order to make sure it is configured correctly... On Thu, Jun 24, 2010 at 7:56 AM, Allgood, John <jallgood@ohl.commailto:jallgood@ohl.com> wrote: Yes I set that yesterday but now my password history is not working. It seems when I get one thing working something else breaks. Any ideas on the password history?
John Allgood Senior Systems Administrator OHL Transportation Services 2251 Jesse Jewell Pky. NE Gainesville, GA 30507 tel: (678) 989-3051 fax: (770) 531-7878
jallgood@ohl.commailto:jallgood@ohl.com www.ohl.comhttp://www.ohl.com
-----Original Message----- From: SATOH Fumiyasu [mailto:fumiyas@osstech.jpmailto:fumiyas@osstech.jp] Sent: Wednesday, June 23, 2010 8:23 PM To: Allgood, John Cc: 'openldap-technical@openldap.orgmailto:openldap-technical@openldap.org' Subject: Re: openldap pwdReset
Hi,
At Wed, 23 Jun 2010 08:39:03 -0500, Allgood, John wrote:
I have a question for you all. I am using openldap 2.4.31 on Centos
5.5 and using the ppolicy overlay. I have also compiled the smbk5 module to update the samba attr when the user password is updated. My problem is to change the password and have the samba password update I have to use ldappasswrd which works great. If I force a pwdReset and login via gdm the password program take over and sets the posix password but this does not change the samba side nor does it adhere to the ppolicy. I am thinking this may something related to /etc/pamd/system-auth file but not sure. Any feedback would be appreciated.
If you are using PADL pam_ldap.so (included in nss_ldap package), you must set "pam_password exop" in your /etc/ldap.conf.
-- -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp) -- Business Home: http://www.OSSTech.co.jp/ -- Personal Home: http://www.SFO.jp/blog/
______________________________________________________
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
-- Adam Leach BS Computer/Electrical Engineering West Virginia University Systems Administrator - Raytheon (304)677-4455
______________________________________________________
This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.