Hello,
Could someone direct me to the source of wisdom to solve this: I have set correctly the fields (attributes)
shadowExpire shadowLastChange shadowMin shadowMax
to make the account expired (OpenLDAP used to run NT domain), but when I ssh to a server using pam_ldap authentication, it is still allowed to login.
How pam_ldap should be instructed to take the expiration attributes ito account?
Thanks. Sincerely, Konstantin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 13/01/2011, at 17:45, Konstantin Boyandin wrote:
Hello,
Could someone direct me to the source of wisdom to solve this: I have set correctly the fields (attributes)
shadowExpire shadowLastChange shadowMin shadowMax
to make the account expired (OpenLDAP used to run NT domain), but when I ssh to a server using pam_ldap authentication, it is still allowed to login.
How pam_ldap should be instructed to take the expiration attributes ito account?
Isnt this handled via nsswitch? Can you show us your /etc/nsswitch.conf, and your /etc/ldap.conf (not your /etc/openldap/ldap.conf
Thanks. Sincerely, Konstantin
William Brown
pgp.mit.edu
I was thinking along the same lines: * is pam_password exop in your /etc/ldap.conf? * And passwd entry for nsswitch contains ldap? * Ditto for /etc/pam.d/system-auth-ac?
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: Konstantin Boyandin temmokan@gmail.com Cc: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Thu Jan 13 00:22:50 2011 Subject: Re: LDAP and PAM: account is expired, but pam_ldap allows authentification
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 13/01/2011, at 17:45, Konstantin Boyandin wrote:
Hello,
Could someone direct me to the source of wisdom to solve this: I have set correctly the fields (attributes)
shadowExpire shadowLastChange shadowMin shadowMax
to make the account expired (OpenLDAP used to run NT domain), but when I ssh to a server using pam_ldap authentication, it is still allowed to login.
How pam_ldap should be instructed to take the expiration attributes ito account?
Isnt this handled via nsswitch? Can you show us your /etc/nsswitch.conf, and your /etc/ldap.conf (not your /etc/openldap/ldap.conf
Thanks. Sincerely, Konstantin
William Brown
pgp.mit.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Indexer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 13/01/2011, at 17:45, Konstantin Boyandin wrote:
Hello,
Could someone direct me to the source of wisdom to solve this: I have set correctly the fields (attributes)
shadowExpire shadowLastChange shadowMin shadowMax
to make the account expired (OpenLDAP used to run NT domain), but when I ssh to a server using pam_ldap authentication, it is still allowed to login.
How pam_ldap should be instructed to take the expiration attributes ito account?
Isnt this handled via nsswitch? Can you show us your /etc/nsswitch.conf, and your /etc/ldap.conf (not your /etc/openldap/ldap.conf
As a reminder - the OpenLDAP-technical list is for the discussion of actual OpenLDAP software, as well as how to make other software interoperate with it. Questions that are purely about how to use 3rd party software "foo" work at all do not belong on this list.
There is no evidence that the original poster is having any trouble using OpenLDAP. His question is entirely about making 3rd party software work, and those questions belong on the support forums for those 3rd party software packages.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
shadowExpire shadowLastChange shadowMin shadowMax
to make the account expired (OpenLDAP used to run NT domain), but when I ssh to a server using pam_ldap authentication, it is still allowed to login.
This look to be a question where the user does not know what is responsible for the issue he is seeing, but does relate to his attempt to use OpenLDAP. He is correct in asking here, and helpfully pointing him in the correct direction is the right course of action, rather than saying "you are wrong to ask this here". This problem may have been to him related to missing elements from his user objects (which would have been openldap) or it was anything else.
Also you said
As a reminder - the OpenLDAP-technical list is for the discussion of actual OpenLDAP software, as well as how to make other software interoperate with it. Questions that are purely about how to use 3rd party software "foo" work at all do not belong on this list.
This counts as "other software interoperate with it." from where I am sitting. I have seen many questions like this, and I think it should be something we answer and point people in the correct direction of rather than saying "you'll get no help here"
So instead of going to a doctor to be referred to a specialist, you will go straight to a specialist without knowing what your problem is? makes complete sense.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
William Brown
pgp.mit.edu
Indexer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
shadowExpire shadowLastChange shadowMin shadowMax
to make the account expired (OpenLDAP used to run NT domain), but when I ssh to a server using pam_ldap authentication, it is still allowed to login.
This look to be a question where the user does not know what is responsible
for the issue he is seeing, but does relate to his attempt to use OpenLDAP. He is correct in asking here, and helpfully pointing him in the correct direction is the right course of action, rather than saying "you are wrong to ask this here". This problem may have been to him related to missing elements from his user objects (which would have been openldap) or it was anything else.
Pointing him to pam_ldap was the correct action.
Also you said
As a reminder - the OpenLDAP-technical list is for the discussion of actual OpenLDAP software, as well as how to make other software interoperate with it. Questions that are purely about how to use 3rd party software "foo" work at all do not belong on this list.
This counts as "other software interoperate with it." from where I am sitting. I have seen many questions like this, and I think it should be something we answer and point people in the correct direction of rather than saying "you'll get no help here"
So instead of going to a doctor to be referred to a specialist, you will go straight to a specialist without knowing what your problem is? makes complete sense.
It was obvious that he was not asking "why doesn't my pam_ldap talk to my OpenLDAP server."
Missing elements from the user objects is a *data* problem, it is not an interoperability problem. He would have the same issue whether the server was OpenLDAP, Oracle, or M$AD. It has nothing to do with OpenLDAP, and a careful reader would have known all of this. If you're not reading carefully, you should not be responding to the posts.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
It was obvious that he was not asking "why doesn't my pam_ldap talk to my OpenLDAP server."
Missing elements from the user objects is a *data* problem, it is not an interoperability problem. He would have the same issue whether the server was OpenLDAP, Oracle, or M$AD. It has nothing to do with OpenLDAP, and a careful reader would have known all of this. If you're not reading carefully, you should not be responding to the posts.
Infact, it wouldn't matter if the backend was M$AD or not. You can still use the OpenLDAP client libraries to talk to AD. It is still thusly, an OpenLDAP related question, where the user does not know where to look from here, and they personally did not know, it was NOT the fault of OpenLDAP or pam_ldap but rather of nsswitch.
The fact of the matter, is that not everyone knows everything, or they may have missed something in research etc. It is hard to find a man page, if you don't know what you are looking for. Google also is not perfect. This person did not know about nsswitch and its requirement, merely believing that the key parts of this issue were either OpenLDAP or pam_ldap. We have more experience to know this is not the case. He did not. He asked where he though the most experience would be - here and rightly so as well, since we were able to tell him "look at nsswitch, rather than OpenLDAP or pam_ldap".
This comes down far more to what he was asking about (and his limited experience), and your perception of it, rather than "what is allowed and what is not".
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
William Brown
pgp.mit.edu
Konstantin Boyandin wrote:
Hello,
Could someone direct me to the source of wisdom to solve this: I have set correctly the fields (attributes)
shadowExpire shadowLastChange shadowMin shadowMax
to make the account expired (OpenLDAP used to run NT domain), but when I ssh to a server using pam_ldap authentication, it is still allowed to login.
How pam_ldap should be instructed to take the expiration attributes ito account?
Ask on a pam_ldap mailing list. pam_ldap is not a piece of OpenLDAP software, your question is off topic here.
openldap-technical@openldap.org
-
Chris Jacobs -
Howard Chu -
Indexer -
Konstantin Boyandin