Dear openldap experts,
the company I work for recently migrated to Ubuntu 22.04, and we use openldap with password policies and password expiry (once per year), with no changes to OpenLDAP config.
However, we also use a scientific linux 6 (SL6, ~RH6) compile machine for backwards compatibility purposes (also using OpenLDAP).
Now what happens is:
- user ldaptestuser1's password expires
- she/he changes her/his password on Ubuntu (problem 1: no PP checking, maybe due to cache_credentials = yes in /etc/sssd/sssd.conf)
- SL6 (host X) does not know about that (problem 2: pwd checking on SL6 _always_ yields a Constraint violation, so user ldaptestuser1 cannot login there):
ldaptestuser1@X's password: You are required to change your password immediately (password aged) You are required to change your LDAP password immediately. Last login: DATE from Y WARNING: Your password has expired. You must change your password now and login again! Changing password for user ldaptestuser1. Enter login(LDAP) password: New password: Retype new password: LDAP password information update failed: Constraint violation Password fails quality checking policy passwd: Authentication token manipulation error Connection to X closed.
I cannot see any relevant error in the server (sys)log (with stats logging). Which log level shall I enable?
- is there a workaround / fix for problem 1?
- Regarding problem 2: shall I disable password expiry (shadow extension)?
Many Thanks and Best Regards! -- Felix Natter
Hi!
My guess is for " Password fails quality checking policy" that the password was simply too short. Maybe your policy configuration isn't correct. I suggest to examine all (also operational) attributes for the account in question. (I recently implemented an email warning for expiring passwords, so I collected some experience while doing so)
Kind regards, Ulrich
-----Original Message----- From: Felix Natter fnatter@gmx.net Sent: Saturday, November 16, 2024 4:55 PM To: openldap-technical@openldap.org Subject: [EXT] PP/expiry issues with Ubuntu22 and RH6
Dear openldap experts,
the company I work for recently migrated to Ubuntu 22.04, and we use openldap with password policies and password expiry (once per year), with no changes to OpenLDAP config.
However, we also use a scientific linux 6 (SL6, ~RH6) compile machine for backwards compatibility purposes (also using OpenLDAP).
Now what happens is:
user ldaptestuser1's password expires
she/he changes her/his password on Ubuntu (problem 1: no PP checking, maybe due to cache_credentials = yes in /etc/sssd/sssd.conf)
SL6 (host X) does not know about that (problem 2: pwd checking on SL6 _always_ yields a Constraint violation, so user ldaptestuser1 cannot login there):
ldaptestuser1@X's password: You are required to change your password immediately (password aged) You are required to change your LDAP password immediately. Last login: DATE from Y WARNING: Your password has expired. You must change your password now and login again! Changing password for user ldaptestuser1. Enter login(LDAP) password: New password: Retype new password: LDAP password information update failed: Constraint violation Password fails quality checking policy passwd: Authentication token manipulation error Connection to X closed.
I cannot see any relevant error in the server (sys)log (with stats logging). Which log level shall I enable?
is there a workaround / fix for problem 1?
Regarding problem 2: shall I disable password expiry (shadow extension)?
Many Thanks and Best Regards!
Felix Natter
"Windl, Ulrich" u.windl@ukr.de writes:
Hi!
hello Ulrich,
thank you for your reply.
My guess is for " Password fails quality checking policy" that the password was simply too short. Maybe your policy configuration isn't correct. I suggest to examine all (also operational) attributes for the account in question. (I recently implemented an email warning for expiring passwords, so I collected some experience while doing so)
the two password policies worked fine with RH6+RH7 before we switched to Ubuntu and cached passwords (no changes to OpenLDAP!). I strongly believe the employee in question did enter a password that was meeting the PP requirements.
Shall I disable password caching (Ubuntu workstations) or is there a better fix for problem 1 (see below)?
Is there anything I can do to mitigate problem2 (see below)?
I cannot see any relevant error in the server (sys)log (with stats logging). Which log level shall I enable?
Many Thanks and Best Regards! Felix
Kind regards, Ulrich
-----Original Message----- From: Felix Natter fnatter@gmx.net Sent: Saturday, November 16, 2024 4:55 PM To: openldap-technical@openldap.org Subject: [EXT] PP/expiry issues with Ubuntu22 and RH6
Dear openldap experts,
the company I work for recently migrated to Ubuntu 22.04, and we use openldap with password policies and password expiry (once per year), with no changes to OpenLDAP config.
However, we also use a scientific linux 6 (SL6, ~RH6) compile machine for backwards compatibility purposes (also using OpenLDAP).
Now what happens is:
user ldaptestuser1's password expires
she/he changes her/his password on Ubuntu (problem 1: no PP checking, maybe due to cache_credentials = yes in /etc/sssd/sssd.conf)
SL6 (host X) does not know about that (problem 2: pwd checking on SL6 _always_ yields a Constraint violation, so user ldaptestuser1 cannot login there):
ldaptestuser1@X's password: You are required to change your password immediately (password aged) You are required to change your LDAP password immediately. Last login: DATE from Y WARNING: Your password has expired. You must change your password now and login again! Changing password for user ldaptestuser1. Enter login(LDAP) password: New password: Retype new password: LDAP password information update failed: Constraint violation Password fails quality checking policy passwd: Authentication token manipulation error Connection to X closed.
I cannot see any relevant error in the server (sys)log (with stats logging). Which log level shall I enable?
is there a workaround / fix for problem 1?
Regarding problem 2: shall I disable password expiry (shadow extension)?
Many Thanks and Best Regards!
Felix Natter
-- Felix Natter debian/rules!
openldap-technical@openldap.org