Hello Buchan
I am running the rpm package openldap server 2.3 that comes with CentOS 5.4 and my ldap client is CentOS 4. Looks like there is no ldapwhoami -e ppolicy option on CentOS4 client, as you can see below. I also copy and paste the client's /etc/pam.d/system-auth below.
[user1@ldapclient ~]$ ldapwhoami -e ppolicy Invalid general control name: ppolicy Issue LDAP Who am I? operation to request user's authzid
usage: ldapwhoami [options] Common options: -d level set LDAP debugging level to `level' -D binddn bind DN -e [!]<ext>[=<extparam>] general extensions (! indicates criticality) [!]assert=<filter> (an RFC 2254 Filter) [!]authzid=<authzid> ("dn:<dn>" or "u:<user>") [!]manageDSAit [!]noop [!]postread[=<attrs>] (a comma-separated attribute list) [!]preread[=<attrs>] (a comma-separated attribute list) -h host LDAP server -H URI LDAP Uniform Resource Indentifier(s) -I use SASL Interactive mode -n show what would be done but don't actually do it -O props SASL security properties -o <opt>[=<optparam>] general options -p port port on LDAP server -Q use SASL Quiet mode -R realm SASL realm -U authcid SASL authentication identity -v run in verbose mode (diagnostics to standard output) -V print version info (-VV only) -w passwd bind password (for simple authentication) -W prompt for bind password -x Simple authentication -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>") -y file Read password from file -Y mech SASL mechanism -Z Start TLS request (-ZZ to require successful response)
[user1@ldapclient ~]$ cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so
#password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password requisite /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
Do you see anything configured wrong in my /etc/pam.d/system-auth? Thanks so much for your help with this issue.
Regards Wei
On Aug 17, 2010 4:43am, Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Monday, 16 August 2010 23:02:41 Wei Gao wrote:
Hello Buchan
I set pwdReset manually and it worked. Thank you.
For my issue regarding pwdExpireWarning not displaying warning message
when
I ssh into my systems, I still can't figure out what I did wrong. Here
is
my default policy:
dn: cn=default,ou=Policies,dc=example,dc=company
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 1209600
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 24
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 5184000
pwdMaxFailure: 3
pwdMinLength: 12
pwdMustChange: TRUE
pwdSafeModify: FALSE
So, test your policy with ldapwhoami (with appropriate options, see man page),
with -e ppolicy option to display ppolicy controls in the response.
pwdMaxAge works perfectly and so does every other attribute, except
pwdExpireWarning. pwdExpireWarning is the only one I am having issues
now. Not sure what I did wrong. Do you need to know any other details?
If ldapwhoami with -e ppolicy works correctly, your problem is your PAM stack.
This will not be the only pam_ldap feature (host-based authorization with
pam_check_host_attr will not be adhered to) that doesn't work due to incorrect
PAM authorization settings. See my previous reply:
You need to supply your PAM configuration if anyone is to assist you further.
expire in 12 days, how come I don't see a warning message when I
ssh to
my
system?
Misconfigured PAM stack probably (authorization, IOW account lines).
There have
been previous solutions in previous threads on this topic, and without
any details of your system it isn't possible to assist further.
Regards,
Buchan