Ok....good progress...and thanks again for the data.
-----Original Message----- From: Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Sent: Friday, July 09, 2010 12:27 PM To: Licause, Al Cc: Chris Jacobs; openldap-technical@openldap.org Subject: Re: Expired password allowed in via pwdGraceAuthNLimit w/o warning to user
On Friday, 9 July 2010 15:00:27 Licause, Al wrote:
Chris,
Again thanks so much for the response.
What I don't understand is which component is responsible for requesting the password expiration information ?
In your specific case, pam_ldap.
Excellent !
It must all of pwdGraceAuthNLimit, pwdMaxAge and pwdChangedTime in order to calculate the information needed to determine which warning to display and when to display it.
This calculation is done on the server side, and passed back to the client in controls attached to the bind response, if the bind had the appropriate controls attached to it.
Good to know.....so only the final calculated data is sent to the client if requested. Not sure I'm seeing the correct request then when using tcpdump or looking at slapd logging. I suspect we have some old components which are going to require upgrades.
It had been suggested that we test with ldapwhoami -e ppolicy. This wasn't something that was obvious to me as the man page for ldapwhoami doesn't show a -e option.
See --help ...
Didn't think to use --help.....now I see it.
(This may be a bug, but the version you have is quite outdated ... so if it is still not documented in the ldapwhoami man page in 2.4.23, you should consider filing an ITS).
Yes...unfortunately. I'm hoping to try out RHES V6 soon to see if they have include later versions of all ldap components. RHES V5.5 still doesn't have what we need.
Or perhaps this is an extension of the ldapsearch or similar commands to include extended parameters.....again something not obvious unless you are familiar with the code.
In any case, when used with -x (since I am not using sasl)
Password policy is (AFAIK) currently only applicable to simple binds. (It may be possible to support it for other methods, if the SASL mech supports it).
No problem.....but good to know.
and -D uid=ldapuser,dc=....-W, only then do I see the warnings down to the second that the password will expire and if it has expired and pwdGraceAuthNLimit is greater than 0, do I see the grace period warning, when testing with ssh.
Please provide the exact message you see with ssh ...
# ssh -l ldap1 ldap1 ldap1@ldap1's password: Your LDAP password will expire in 1 day. Last login: Fri Jul 9 11:04:11 2010 from ldap1.osn.cxo.cpqcorp.net
This is displayed if the time to expiration is greater than a 24 hour period which is good....but not displayed if less than that.....which I believe someone said is a known issue in this version.
If the password has already expired, we get no messages and no warnings about grace periods:
# ssh -l ldap1 ldap1 ldap1@ldap1's password: Last login: Fri Jul 9 11:14:16 2010 from ldap1.osn.cxo.cpqcorp.net
[ldap1@ldap1 ~]$ ldapwhoami -x -D uid=ldap1,dc=osn,dc=cxo,dc=cpqcorp,dc=net -e ppolicy -W Enter LDAP Password: ldap_bind: Success (0) (Password expired, 4 grace logins remain) dn:uid=ldap1,dc=osn,dc=cxo,dc=cpqcorp,dc=net Result: Success (0)
I had expiration set down low for testing and then pwdGraceAuthNLimit set to 5 so that we could hopefully see the expired grace warnings.
A strings on ldapwhoami shows these warnings coming from ldapwhoami itself.
The interpretation from control values to actual string representations must be done by the application.
I have a feeling that the version of sshd may also be old enough that it is not doing this work....
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
If the grace period warning is also supposed to come from pam_ldap.so, then again, ours is probably old and needs to be upgraded:
# strings pam_ldap.so | grep -i grace
# strings pam_ldap.so | grep -i expire shadowExpire Password Expired Your LDAP password will expire in %ld day%s.
Thanks for including a good example of system-auth. I adding only one line that differed to ours and ignored any references to Kerberos libraries and still no warnings.
I also modified the nsswitch.conf to make sure that shadow accounts were only handled by the local facilities.
Again thanks for the help.
I think I'll investigate to see if newer versions of ldap components have been included in a later version of the OS distributions we support.
Al