I need help/advise on ppolicy against Linux servers.
I am running OpenLDAP 2.3.43-3.el5 (Red Hat rpm) on RHEL5. I am using the ppolicy overlay. The overlay seems to work to all of the tools, etc., that use this LDAP, except for the Linux servers. With these servers, we get no expiry warning, and users can log in after the password has expired (unlimited). We are using PAM/LDAP on these servers.
Debugging this issue has caused me a bit of confusion. In the LDAP logs, when logging into other equipment that 'binds as user', I see warnings, etc. returned:
ppolicy_bind: Setting warning for password expiry for uid=test_user,ou=people,o=theorg,dc=example,dc=net = 1251 secds
BUT, since the Linux LDAP client has a separate 'binddn', I don't see these warnings when the Linux LDAP client does the ldapsearch to validate the user. How does the policy work in this situation?
Am I missing something here?
Here's what I see when I log in as a users (second login, pwdGraceAuthNLimit=2):
login as: test_user test_user@linux_box's password: Last login: Fri Oct 23 19:39:03 2009 from 10.50.1.135 [test_user@linux_box ~]$ [test_user@linux_box ~]$ ldapwhoami -x -D "uid=test_user,ou=people,o=theorg,dc=example,dc=net" -W -e ppolicy Enter LDAP Password: ldap_bind: Success (0) (Password expired, 1 grace logins remain) dn:uid=test_user,ou=people,o=theorg,dc=example,dc=net Result: Success (0) [test_user@linux_box ~]$
[test_user@linux_box ~]$exit
Then on the next login:
login as: test_user test_user@linux_box's password: Last login: Fri Oct 23 19:39:26 2009 from 10.50.1.135 [test_user@linux_box ~]$ [test_user@linux_box ~]$ ldapwhoami -x -D "uid=test_user,ou=people,o=theorg,dc=example,dc=net" -W -e ppolicy Enter LDAP Password: ldap_bind: Invalid credentials (49); Password expired [test_user@linux_box ~]$
[test_user@linux_box ~]$exit
Yet again:
login as: test_user test_user@linux_box's password: Last login: Fri Oct 23 19:40:12 2009 from 10.50.1.135 [test_user@linux_box ~]$ [test_user@linux_box ~]$ ldapwhoami -x -D "uid=test_user,ou=people,o=theorg,dc=example,dc=net" -W -e ppolicy Enter LDAP Password: ldap_bind: Invalid credentials (49); Password expired [test_user@linux_box ~]$ [test_user@linux_box ~]$ [test_user@linux_box ~]$ [test_user@linux_box ~]$ ldapsearch -x -D 'cn=ldapmanager,o=theorg,dc=example,dc=net' -b 'uid=test_user,ou=people,o=theorg,dc=example,dc=net' -w ldapspwd + # extended LDIF # # LDAPv3 # base <uid=test_user,ou=people,o=theorg,dc=example,dc=net> with scope subtree # filter: (objectclass=*) # requesting: + #
# test_user, people, theorg, example.net dn: uid=test_user,ou=people,o=theorg,dc=example,dc=net structuralObjectClass: person entryUUID: d45aa296-a3e4-102d-8c8e-0b16af70e85f creatorsName: cn=ldapmanager,o=theorg,dc=example,dc=net createTimestamp: 20090313063503Z pwdHistory: 20091023185344Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$RCW90SL v$8PfQ99gzlJd.7TH2HnhOS0 pwdHistory: 20091023190836Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$RM6V/En e$0oGsI47SUaIDFap9Nft3z1 pwdHistory: 20091023191529Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$18vC.s9 3$cT38cSrrF/PXMhWqV.P.r/ pwdPolicySubentry: cn=ppdefault_test,ou=policies,o=theorg,dc=example, dc=net pwdChangedTime: 20091023191529Z pwdGraceUseTime: 20091023193816Z pwdGraceUseTime: 20091023193905Z entryCSN: 20091023193905Z#000000#00#000000 modifiersName: cn=ldapmanager,o=theorg,dc=example,dc=net modifyTimestamp: 20091023193905Z entryDN: uid=test_user,ou=people,o=theorg,dc=example,dc=net subschemaSubentry: cn=Subschema hasSubordinates: FALSE
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [test_user@linux_box ~]$ [test_user@linux_box ~]$ ldapsearch -x -D 'cn=ldapmanager,o=theorg,dc=example,dc=net' -b 'cn=ppdefault_test,ou=policies,o=theorg,dc=example,dc=net' -w ldapspwd # extended LDIF # # LDAPv3 # base <cn=ppdefault_test,ou=policies,o=theorg,dc=example,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# ppdefault_test, policies, theorg, example.net dn: cn=ppdefault_test,ou=policies,o=theorg,dc=example,dc=net cn: ppdefault_test objectClass: person objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAttribute: userPassword pwdLockout: TRUE pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdGraceAuthNLimit: 2 pwdCheckQuality: 1 pwdInHistory: 3 pwdLockoutDuration: 60 pwdMaxFailure: 5 pwdFailureCountInterval: 603 sn: ppdefault_test pwdMaxAge: 120 pwdExpireWarning: 100 description: test pwdMinAge: 1 pwdSafeModify: FALSE
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [test_user@linux_box ~]$ [test_user@linux_box ~]$ cat /etc/pam.d/passwd #%PAM-1.0 auth include system-auth account include system-auth password include system-auth [test_user@linux_box ~]$ [test_user@linux_box ~]$ cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 type=LDAP password sufficient /lib/security/$ISA/pam_unix.so nullok md5 use_authtok shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
Any advise would be much appreciated (I swear this worked when I tested it last March).
Thanks, Joe
_________________________________________________________________ Windows 7: Simplify your PC. Learn more. http://www.microsoft.com/Windows/windows-7/default.aspx?ocid=PID24727::T:WLM...