Hello list,
First of all; sorry
if this is on the wrong list, reaches the wrong people, has been asked 1000
times before, or is just a basic or stupid question. Yes, I have searched Google
and the mailing list archives.
We (succesfully)
implemented ppolicy on our 2.4.22 OpenLDAP server.
Password constraints
are enforced correctly, but letting the accounts expiry correctly seems a bit
tricky.
When users with an
expired account try to log on to an application making a bind using the user's
own credentials, everything works as expected; users cannot login, access gets
denied. In the slapd logging, the following message is
displayed:
Jul 21 14:06:25
slapd2.4[27182]: ppolicy_bind: Entry uid=<user> has an expired password: 0
grace logins
But when trying to log into PAM (ssh, su etc.), there
is no warning displayed the account is expired. The user is also allowed to
login normally.
I've been Googling
for a couple of days now, and can't really find the culprit.
I was especially
interested in this thread:
So, I've set
pwdExpireWarning to 1 second less then pwdMaxAge.
When I try to bind
directly, such as with an ldapsearch, the logging shows
Jul 22 15:31:56
slapd2.4[27182]: ppolicy_bind: Setting warning for password expiry for
uid=<user> = 4318121 seconds
So, that seems to be
correct.
But, when logging in via PAM,
the log does not display the "setting warning".
ldap.conf on the
clients read:
binddn cn=<binddn>
base <base>
bindpw <secret>
uri ldaps://<master1> ldaps://<master2>
ssl yes
bind_timelimit 2
tls_checkpeer yes
tls_ciphers
TLSv1
tls_cacertdir /etc/ssl/openldap2.4
pam_password
crypt
pam_check_host_attr yes
pam_lookup_policy yes
I think this is caused by PAM using the bindDN and then *querying*
the user. So the server does not set a password expiry warning. But as I
understood, "pam_lookup_policy" should ensure PAM trying to query for an expiry
date.
How can I configure PAM to display the "Your password will expire in
... days"?
/etc/pam.d/system-auth:
auth
required /lib/security/$ISA/pam_tally2.so
onerr=succeed audit
auth
required
/lib/security/$ISA/pam_env.so
auth
sufficient /lib/security/$ISA/pam_unix.so likeauth
nullok
auth
sufficient /lib/security/$ISA/pam_ldap.so
use_first_pass
auth
sufficient /lib/security/$ISA/pam_krb5.so
use_first_pass
auth
required
/lib/security/$ISA/pam_deny.so
account
required /lib/security/$ISA/pam_unix.so
broken_shadow
account sufficient
/lib/security/$ISA/pam_localuser.so
account
sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok
user_unknown=ignore service_err=ignore]
/lib/security/$ISA/pam_ldap.so
account [default=bad
success=ok user_unknown=ignore service_err=ignore]
/lib/security/$ISA/pam_krb5.so
account
required
/lib/security/$ISA/pam_permit.so
password
requisite /lib/security/$ISA/pam_cracklib.so retry=3
type=
password sufficient
/lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password sufficient
/lib/security/$ISA/pam_ldap.so use_authtok
password
sufficient /lib/security/$ISA/pam_krb5.so
use_authtok
password required
/lib/security/$ISA/pam_deny.so
session
required
/lib/security/$ISA/pam_limits.so
session
required
/lib/security/$ISA/pam_unix.so
session
optional /lib/security/$ISA/pam_krb5.so
sshd_config shows "UsePAM
yes"
Again, sorry if this is not a question for this
list.
Thanks you for any
responses,
Dannie
Obbink
-------------------------Disclaimer-------------------------------
De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming kregen dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht en een verschoningsrecht.
-------------------------------------------------------------------