I am working (with RH via Dell support) to solve an issue (that I believe to be a pam_ldap issue). The problem is that the password policy control messaging does not occur when I set 'pam_password md5', thus the Linux client never knows that the password expires.
They have informed me that the password policy overlay in LDAP requires clear-text passwords, and will not handle the password policy stuff if the password is hashed. This makes no sense to me, since ppolicy is only handling expiry times, etc. and pam is handling the rest (length, strength, etc., prior to hash).
Does the ppolicy overlay require clear-text?
Thanks, Joe _________________________________________________________________ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/177141665/direct/01/
On Tuesday, 22 December 2009 23:25:21 Joe Friedeggs wrote:
I am working (with RH via Dell support) to solve an issue (that I believe to be a pam_ldap issue). The problem is that the password policy control messaging does not occur when I set 'pam_password md5', thus the Linux client never knows that the password expires.
Works fine here with pam_ldap 183 and:
pam_password exop pam_lookup_policy yes
(Well, I would really prefer if pam_ldap prompted to change the password while there are still grace logins left, instead of waiting until they are all used ... I'll file a bug on that).
They have informed me that the password policy overlay in LDAP requires clear-text passwords, and will not handle the password policy stuff if the password is hashed. This makes no sense to me, since ppolicy is only handling expiry times, etc. and pam is handling the rest (length, strength, etc., prior to hash).
Does the ppolicy overlay require clear-text?
Only if you want it to enforce password quality, but then you should use pam_password exop, or set 'ppolicy_hash_cleartext yes' in slapd.conf so that cleartext passwords are hashed on the server.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Joe Friedeggs