Le 31/08/2012 21:39, cbulist a écrit :
Guillaume,
I did a test with your suggestion and now It is working when I change the pwdMaxAge to some short time as 15 seconds but I don't receive any message invite me to change the password or any warning message for expiration time. I see the follow message in debug mode:
uid=user1,ou=People,dc=sample,dc=com has an expired password
I set the attributes in default Policies:
pwsGraceAuthNLimit: 2 pwdAllowUserChange: TRUE pwdExpireWarning: 10 pwdLockout: TRUE pwdMaxAge: 15 pwdMustChange: TRUE
In my ldap client I have set: pam_lookup_policy yes
Do I have to change something in PAM?
No idea exactly.
You'd better test directly with basic ldap clients, such as ldapsearch/ldappasswd to understand how password policy works. And debug your pam issues in a second step. BTW, pam_ldap has dedicated mailing list that may give better answer than this one.
Also, if you're only interested in password expiration for your unix user account, you don't need server-side support (ppolicy), the historical shadow system should be enough (and probably simpler).