I have pwdMustChange set to true in my default ppolicy. I tried to change a user's password EITHER as Manager on LDAP server OR via the following command on my LDAP server
ldappasswd -x -D "cn=Manager,dc=example,dc=company" -W -S "uid=user1,ou=People,dc=example,dc=company"
Since I have pwdMustChange set to true, the user should be required to change his password when he tries to log in next time. But the system doesn't prompt the user to change his password. And when I ran slapcat -a '(uid=user1)', I saw most Operational Attributes except pwdReset. All my settings seem to be correct. I couldn't figure out what is wrong here.
One other question I have is: In my default ppolicy, I have pwdExpireWarning set to 1209600 (14 days). My current password is going to expire in 12 days, how come I don't see a warning message when I ssh to my system?
Thank you for your help.
Regards Wei
On Thursday, 12 August 2010 21:47:18 Wei Gao wrote:
I have pwdMustChange set to true in my default ppolicy. I tried to change a user's password EITHER as Manager on LDAP server OR via the following command on my LDAP server
ldappasswd -x -D "cn=Manager,dc=example,dc=company" -W -S "uid=user1,ou=People,dc=example,dc=company"
Since I have pwdMustChange set to true, the user should be required to change his password when he tries to log in next time.
No.
But the system doesn't prompt the user to change his password. And when I ran slapcat -a '(uid=user1)', I saw most Operational Attributes except pwdReset.
You currently have to set pwdReset manually. I don't see any documentation that indicates that pwdReset should automatically be set when the password is changed in a specific way.
All my settings seem to be correct. I couldn't figure out what is wrong here.
One other question I have is: In my default ppolicy, I have pwdExpireWarning set to 1209600 (14 days). My current password is going to expire in 12 days, how come I don't see a warning message when I ssh to my system?
Misconfigured PAM stack probably (authorization, IOW account lines). There have been previous solutions in previous threads on this topic, and without any details of your system it isn't possible to assist further.
Regards, Buchan
Hello Buchan
I set pwdReset manually and it worked. Thank you.
For my issue regarding pwdExpireWarning not displaying warning message when I ssh into my systems, I still can't figure out what I did wrong. Here is my default policy:
dn: cn=default,ou=Policies,dc=example,dc=company objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 1209600 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 24 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 5184000 pwdMaxFailure: 3 pwdMinLength: 12 pwdMustChange: TRUE pwdSafeModify: FALSE pwdMaxAge works perfectly and so does every other attribute, except pwdExpireWarning. pwdExpireWarning is the only one I am having issues now. Not sure what I did wrong. Do you need to know any other details? Thank you very much for taking your time to help me.
Regards Wei
On Mon, Aug 16, 2010 at 11:12 AM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Thursday, 12 August 2010 21:47:18 Wei Gao wrote:
I have pwdMustChange set to true in my default ppolicy. I tried to change
a
user's password EITHER as Manager on LDAP server OR via the following command on my LDAP server
ldappasswd -x -D "cn=Manager,dc=example,dc=company" -W -S "uid=user1,ou=People,dc=example,dc=company"
Since I have pwdMustChange set to true, the user should be required to change his password when he tries to log in next time.
No.
But the system doesn't prompt the user to change his password. And when I ran slapcat -a '(uid=user1)', I saw most Operational Attributes except pwdReset.
You currently have to set pwdReset manually. I don't see any documentation that indicates that pwdReset should automatically be set when the password is changed in a specific way.
All my settings seem to be correct. I couldn't figure out what is wrong here.
One other question I have is: In my default ppolicy, I have pwdExpireWarning set to 1209600 (14 days). My current password is going
to
expire in 12 days, how come I don't see a warning message when I ssh to
my
system?
Misconfigured PAM stack probably (authorization, IOW account lines). There have been previous solutions in previous threads on this topic, and without any details of your system it isn't possible to assist further.
Regards, Buchan
On Monday, 16 August 2010 23:02:41 Wei Gao wrote:
Hello Buchan
I set pwdReset manually and it worked. Thank you.
For my issue regarding pwdExpireWarning not displaying warning message when I ssh into my systems, I still can't figure out what I did wrong. Here is my default policy:
dn: cn=default,ou=Policies,dc=example,dc=company objectClass: top objectClass: device objectClass: pwdPolicy cn: default pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 1209600 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdInHistory: 24 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 5184000 pwdMaxFailure: 3 pwdMinLength: 12 pwdMustChange: TRUE pwdSafeModify: FALSE
So, test your policy with ldapwhoami (with appropriate options, see man page), with -e ppolicy option to display ppolicy controls in the response.
pwdMaxAge works perfectly and so does every other attribute, except pwdExpireWarning. pwdExpireWarning is the only one I am having issues now. Not sure what I did wrong. Do you need to know any other details?
If ldapwhoami with -e ppolicy works correctly, your problem is your PAM stack. This will not be the only pam_ldap feature (host-based authorization with pam_check_host_attr will not be adhered to) that doesn't work due to incorrect PAM authorization settings. See my previous reply:
You need to supply your PAM configuration if anyone is to assist you further.
expire in 12 days, how come I don't see a warning message when I ssh to
my
system?
Misconfigured PAM stack probably (authorization, IOW account lines). There have been previous solutions in previous threads on this topic, and without any details of your system it isn't possible to assist further.
Regards, Buchan
Hello Buchan
I am running the rpm package openldap server 2.3 that comes with CentOS 5.4 and my ldap client is CentOS 4. Looks like there is no ldapwhoami -e ppolicy option on CentOS4 client, as you can see below. I also copy and paste the client's /etc/pam.d/system-auth below.
[user1@ldapclient ~]$ ldapwhoami -e ppolicy Invalid general control name: ppolicy Issue LDAP Who am I? operation to request user's authzid
usage: ldapwhoami [options] Common options: -d level set LDAP debugging level to `level' -D binddn bind DN -e [!]<ext>[=<extparam>] general extensions (! indicates criticality) [!]assert=<filter> (an RFC 2254 Filter) [!]authzid=<authzid> ("dn:<dn>" or "u:<user>") [!]manageDSAit [!]noop [!]postread[=<attrs>] (a comma-separated attribute list) [!]preread[=<attrs>] (a comma-separated attribute list) -h host LDAP server -H URI LDAP Uniform Resource Indentifier(s) -I use SASL Interactive mode -n show what would be done but don't actually do it -O props SASL security properties -o <opt>[=<optparam>] general options -p port port on LDAP server -Q use SASL Quiet mode -R realm SASL realm -U authcid SASL authentication identity -v run in verbose mode (diagnostics to standard output) -V print version info (-VV only) -w passwd bind password (for simple authentication) -W prompt for bind password -x Simple authentication -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>") -y file Read password from file -Y mech SASL mechanism -Z Start TLS request (-ZZ to require successful response)
[user1@ldapclient ~]$ cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so
#password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password requisite /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
Do you see anything configured wrong in my /etc/pam.d/system-auth? Thanks so much for your help with this issue.
Regards Wei
On Aug 17, 2010 4:43am, Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Monday, 16 August 2010 23:02:41 Wei Gao wrote:
Hello Buchan
I set pwdReset manually and it worked. Thank you.
For my issue regarding pwdExpireWarning not displaying warning message
when
I ssh into my systems, I still can't figure out what I did wrong. Here
is
my default policy:
dn: cn=default,ou=Policies,dc=example,dc=company
objectClass: top
objectClass: device
objectClass: pwdPolicy
cn: default
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 1209600
pwdFailureCountInterval: 0
pwdGraceAuthNLimit: 0
pwdInHistory: 24
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 5184000
pwdMaxFailure: 3
pwdMinLength: 12
pwdMustChange: TRUE
pwdSafeModify: FALSE
So, test your policy with ldapwhoami (with appropriate options, see man page),
with -e ppolicy option to display ppolicy controls in the response.
pwdMaxAge works perfectly and so does every other attribute, except
pwdExpireWarning. pwdExpireWarning is the only one I am having issues
now. Not sure what I did wrong. Do you need to know any other details?
If ldapwhoami with -e ppolicy works correctly, your problem is your PAM stack.
This will not be the only pam_ldap feature (host-based authorization with
pam_check_host_attr will not be adhered to) that doesn't work due to incorrect
PAM authorization settings. See my previous reply:
You need to supply your PAM configuration if anyone is to assist you further.
expire in 12 days, how come I don't see a warning message when I
ssh to
my
system?
Misconfigured PAM stack probably (authorization, IOW account lines).
There have
been previous solutions in previous threads on this topic, and without
any details of your system it isn't possible to assist further.
Regards,
Buchan
On Wednesday, 18 August 2010 22:26:38 weigao88@gmail.com wrote:
Hello Buchan
I am running the rpm package openldap server 2.3 that comes with CentOS 5.4
So test this client from the "server".
and my ldap client is CentOS 4. Looks like there is no ldapwhoami -e ppolicy option on CentOS4 client, as you can see below. I also copy and paste the client's /etc/pam.d/system-auth below.
[user1@ldapclient ~]$ ldapwhoami -e ppolicy Invalid general control name: ppolicy Issue LDAP Who am I? operation to request user's authzid
usage: ldapwhoami [options]
You will of course actually have to *read* the usage instructions, and supply suitable options/values.
[user1@ldapclient ~]$ cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so
I usually go for something more like:
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_ldap.so account required pam_deny.so
But, if you aren't going to bother to learn how PAM works, you probably shouldn't be taking advice from random strangers on the internet.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Wei Gao -
weigao88@gmail.com