On Monday, 16 August 2010 23:02:41 Wei Gao wrote:
Hello Buchan
I set pwdReset manually and it worked. Thank you.
For my issue regarding pwdExpireWarning not displaying warning message when I ssh into my systems, I still can't figure out what I did wrong. Here is my default policy:
dn: cn=default,ou=Policies,dc=example,dc=company objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 1209600 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 24 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 5184000 pwdMaxFailure: 3 pwdMinLength: 12 pwdMustChange: TRUE pwdSafeModify: FALSE
So, test your policy with ldapwhoami (with appropriate options, see man page), with -e ppolicy option to display ppolicy controls in the response.
pwdMaxAge works perfectly and so does every other attribute, except pwdExpireWarning. pwdExpireWarning is the only one I am having issues now. Not sure what I did wrong. Do you need to know any other details?
If ldapwhoami with -e ppolicy works correctly, your problem is your PAM stack. This will not be the only pam_ldap feature (host-based authorization with pam_check_host_attr will not be adhered to) that doesn't work due to incorrect PAM authorization settings. See my previous reply:
You need to supply your PAM configuration if anyone is to assist you further.
expire in 12 days, how come I don't see a warning message when I ssh to
my
system?
Misconfigured PAM stack probably (authorization, IOW account lines). There have been previous solutions in previous threads on this topic, and without any details of your system it isn't possible to assist further.
Regards, Buchan