Hello,
I've gotten our password policy to function as it should - password expire requiring password changes, can't use old passwords, etc.
I'm working on last little detail - getting the password expiration warning to display.
For example, I see in the logs: "Mar 29 19:27:38 ldapmaster1 slapd[32653]: ppolicy_bind: Setting warning for password expiry for uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net = 3141 seconds"
But I never get the notice on login clients - regardless of client type (even from machine to itself).
I suspect ya'll are going to be interested in ldap.conf and pam config, so here they are, along with some possibly relevant bits:
/etc/ldap.conf: uri ldaps://ldapmaster1.corp.aptimus.net timelimit 10 bind_timelimit 10 bind_policy soft base dc=unix,dc=aptimus,dc=net scope sub ssl on tls_checkpeer no tls_cacertfile /etc/openldap/cacert.pem pam_login_attribute uid pam_lookup_policy yes pam_password exop
/etc/pam.d/system-auth-ac: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
# ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
# grep -i pam /etc/ssh/sshd_config # Set this to 'yes' to enable PAM keyboard-interactive authentication # PAMAuthenticationViaKbdInt no UsePAM yes
Ppolicy directives in /etc/openldap/slapd.conf (under the sold database definition): overlay ppolicy ppolicy_hash_cleartext ppolicy_use_lockout
AND just for giggles, I decided to see if I could get the version of pam_ldap.so that's installed, and ran strings on it. I notice two things: 1.3.6.1.4.1.42.2.27.8.5.1 (objectclass=passwordPolicy)
The ppolicy.schema file compiled used IDs 1.3.6.1.4.1.42.2.27.8.1.x - not ..8.5.x - could I possibly have some weird mismatch here?
(I suspect and hope that the last bit here is a totally unrelated red herring.)
Thanks, - chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations Apollo Group | Apollo Marketing | Aptimus, Inc. 2001 6th Ave | Ste 3200 | Seattle, WA 98121 phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.