Hello When I force the expiration changing pwdMaxAge what I can see in the log is the following:
ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired password: 0 grace logins
I test the login, I get two warning as configured but the user is never forced to change it and can login as usual, any hint on this?
I was expecting something like this, this is from my old notes ( 2013 ) at that time it worked
You are required to change your LDAP password immediately. Last login: Wed Feb 13 12:07:38 2013 from server.domain.com WARNING: Your password has expired. You must change your password now and login again! Changing password for user pmorales. Enter login(LDAP) password:
My sss configuration
# sssd::config [sssd] domains = domain services = nss, pam, ssh, sudo config_file_version=2 [domain/zebra]
# sssd::provider::ldap id_provider=ldap auth_provider=ldap chpass_provider=ldap ldap_uri=ldap://openldap.domain.com ldap_chpass_uri=ldap://openldap.domain.com ldap_search_base=dc=domain,dc=com ldap_tls_reqcert=never ldap_tls_cacert=/etc/openldap/cacerts/ca_certs.pem ldap_tls_cacertdir=/etc/openldap/cacerts ldap_id_use_start_tls=false ldap_user_search_base=ou=Users,dc=domain,dc=com ldap_group_search_base=ou=Groups,dc=domain,dc=com debug_level=6 ldap_sudo_search_base=cn=sudo,ou=Groups,dc=domain,dc=com ldap_chpass_update_last_change=true ldap_user_shadow_last_change=shadowLastChange ldap_pwd_policy=shadow
nsswitch.conf
passwd: files sss shadow: files sss group: files sss
System-Auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so umask=0077
Password Auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so umask=0077
Thanks Regards
2018-05-10 11:45 GMT-03:00 Net Warrior netwarrior863@gmail.com:
Hi
From time to time I need to reset user passwords when they forget it so I want to force them to change it when they connect over ssh, as long as I remember this worked before, ( do not remember which openldap version it was a long time ) anyway , how can I force user to change their passwords upon ssh connection? or is not possible anymore?
Thanks Regards
On 05/08/2018 09:25 AM, Clément OUDOT wrote:
Le 03/05/2018 à 16:23, Net Warrior a écrit :
Hello there guys, when setting the pwsReset to TRUE I cannot login to the system anymore, just get the permission denied, then I found this.
https://github.com/pwm-project/pwm/issues/155
Did I face that bug or maybe it's something else?
It's not a bug. If pwdReset is set to TRUE, the BIND will be successful but you will not be allowed to do another operation but changing password. If your application is doing a SEARCH just after the BIND, you will be denied.
Le 21/05/2018 à 17:10, Net Warrior a écrit :
Hello When I force the expiration changing pwdMaxAge what I can see in the log is the following:
ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired password: 0 grace logins
I test the login, I get two warning as configured but the user is never forced to change it and can login as usual, any hint on this?
Seems you are mixing OpenLDAP ppolicy and shadow policy.
Anyway, if the OpenLDAP ppolicy has expired the password, you should not be able to log in, unless you set some cache or failback on local account.
You should test with ldapsearch or ldapwhoami command to understand the behavior of OpenLDAP ppolicy. Then you can configure pam/sssd to fit your needs.
openldap-technical@openldap.org
-
Clément OUDOT -
Net Warrior