Hello When I force the expiration changing pwdMaxAge what I can see in the log is the following:
ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired password: 0 grace logins
I test the login, I get two warning as configured but the user is never forced to change it and can login as usual, any hint on this?
I was expecting something like this, this is from my old notes ( 2013 ) at that time it worked
You are required to change your LDAP password immediately. Last login: Wed Feb 13 12:07:38 2013 from server.domain.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user pmorales. Enter login(LDAP) password:
My sss configuration
# sssd::config [sssd] domains = domain services = nss, pam, ssh, sudo config_file_version=2 [domain/zebra]
# sssd::provider::ldap id_provider=ldap auth_provider=ldap chpass_provider=ldap ldap_uri=ldap://openldap.domain.com ldap_chpass_uri=ldap://openldap.domain.com ldap_search_base=dc=domain,dc=com ldap_tls_reqcert=never ldap_tls_cacert=/etc/openldap/cacerts/ca_certs.pem ldap_tls_cacertdir=/etc/openldap/cacerts ldap_id_use_start_tls=false ldap_user_search_base=ou=Users,dc=domain,dc=com ldap_group_search_base=ou=Groups,dc=domain,dc=com debug_level=6 ldap_sudo_search_base=cn=sudo,ou=Groups,dc=domain,dc=com ldap_chpass_update_last_change=true ldap_user_shadow_last_change=shadowLastChange ldap_pwd_policy=shadow
nsswitch.conf
passwd: files sss shadow: files sss group: files sss
System-Auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so umask=0077
Password Auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so umask=0077
Thanks Regards
2018-05-10 11:45 GMT-03:00 Net Warrior netwarrior863@gmail.com:
Hi
From time to time I need to reset user passwords when they forget it so I want to force them to change it when they connect over ssh, as long as I remember this worked before, ( do not remember which openldap version it was a long time ) anyway , how can I force user to change their passwords upon ssh connection? or is not possible anymore?
Thanks Regards
On 05/08/2018 09:25 AM, Clément OUDOT wrote:
Le 03/05/2018 à 16:23, Net Warrior a écrit :
Hello there guys, when setting the pwsReset to TRUE I cannot login to the system anymore, just get the permission denied, then I found this.
https://github.com/pwm-project/pwm/issues/155
Did I face that bug or maybe it's something else?
It's not a bug. If pwdReset is set to TRUE, the BIND will be successful but you will not be allowed to do another operation but changing password. If your application is doing a SEARCH just after the BIND, you will be denied.