I need help/advise on ppolicy against Linux servers.
I am running OpenLDAP 2.3.43-3.el5 (Red Hat rpm) on RHEL5. I am using the ppolicy overlay. The overlay seems to work to all of the tools, etc., that use this LDAP, except for the Linux servers. With these servers, we get no expiry warning, and users can log in after the password has expired (unlimited). We are using PAM/LDAP on these servers.
Debugging this issue has caused me a bit of confusion. In the LDAP logs, when logging into other equipment that 'binds as user', I see warnings, etc. returned:
ppolicy_bind: Setting warning for password expiry for uid=test_user,ou=people,o=theorg,dc=example,dc=net = 1251 secds
BUT, since the Linux LDAP client has a separate 'binddn', I don't see these warnings when the Linux LDAP client does the ldapsearch to validate the user. How does the policy work in this situation?
Am I missing something here?
Here's what I see when I log in as a users (second login, pwdGraceAuthNLimit=2):
login as: test_user test_user@linux_box's password: Last login: Fri Oct 23 19:39:03 2009 from 10.50.1.135 [test_user@linux_box ~]$ [test_user@linux_box ~]$ ldapwhoami -x -D "uid=test_user,ou=people,o=theorg,dc=example,dc=net" -W -e ppolicy Enter LDAP Password: ldap_bind: Success (0) (Password expired, 1 grace logins remain) dn:uid=test_user,ou=people,o=theorg,dc=example,dc=net Result: Success (0) [test_user@linux_box ~]$
[test_user@linux_box ~]$exit
Then on the next login:
login as: test_user test_user@linux_box's password: Last login: Fri Oct 23 19:39:26 2009 from 10.50.1.135 [test_user@linux_box ~]$ [test_user@linux_box ~]$ ldapwhoami -x -D "uid=test_user,ou=people,o=theorg,dc=example,dc=net" -W -e ppolicy Enter LDAP Password: ldap_bind: Invalid credentials (49); Password expired [test_user@linux_box ~]$
[test_user@linux_box ~]$exit
Yet again:
login as: test_user test_user@linux_box's password: Last login: Fri Oct 23 19:40:12 2009 from 10.50.1.135 [test_user@linux_box ~]$ [test_user@linux_box ~]$ ldapwhoami -x -D "uid=test_user,ou=people,o=theorg,dc=example,dc=net" -W -e ppolicy Enter LDAP Password: ldap_bind: Invalid credentials (49); Password expired [test_user@linux_box ~]$ [test_user@linux_box ~]$ [test_user@linux_box ~]$ [test_user@linux_box ~]$ ldapsearch -x -D 'cn=ldapmanager,o=theorg,dc=example,dc=net' -b 'uid=test_user,ou=people,o=theorg,dc=example,dc=net' -w ldapspwd + # extended LDIF # # LDAPv3 # base <uid=test_user,ou=people,o=theorg,dc=example,dc=net> with scope subtree # filter: (objectclass=*) # requesting: + #
# test_user, people, theorg, example.net dn: uid=test_user,ou=people,o=theorg,dc=example,dc=net structuralObjectClass: person entryUUID: d45aa296-a3e4-102d-8c8e-0b16af70e85f creatorsName: cn=ldapmanager,o=theorg,dc=example,dc=net createTimestamp: 20090313063503Z pwdHistory: 20091023185344Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$RCW90SL v$8PfQ99gzlJd.7TH2HnhOS0 pwdHistory: 20091023190836Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$RM6V/En e$0oGsI47SUaIDFap9Nft3z1 pwdHistory: 20091023191529Z#1.3.6.1.4.1.1466.115.121.1.40#41#{crypt}$1$18vC.s9 3$cT38cSrrF/PXMhWqV.P.r/ pwdPolicySubentry: cn=ppdefault_test,ou=policies,o=theorg,dc=example, dc=net pwdChangedTime: 20091023191529Z pwdGraceUseTime: 20091023193816Z pwdGraceUseTime: 20091023193905Z entryCSN: 20091023193905Z#000000#00#000000 modifiersName: cn=ldapmanager,o=theorg,dc=example,dc=net modifyTimestamp: 20091023193905Z entryDN: uid=test_user,ou=people,o=theorg,dc=example,dc=net subschemaSubentry: cn=Subschema hasSubordinates: FALSE
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [test_user@linux_box ~]$ [test_user@linux_box ~]$ ldapsearch -x -D 'cn=ldapmanager,o=theorg,dc=example,dc=net' -b 'cn=ppdefault_test,ou=policies,o=theorg,dc=example,dc=net' -w ldapspwd # extended LDIF # # LDAPv3 # base <cn=ppdefault_test,ou=policies,o=theorg,dc=example,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# ppdefault_test, policies, theorg, example.net dn: cn=ppdefault_test,ou=policies,o=theorg,dc=example,dc=net cn: ppdefault_test objectClass: person objectClass: pwdPolicy objectClass: pwdPolicyChecker pwdAttribute: userPassword pwdLockout: TRUE pwdMustChange: TRUE pwdAllowUserChange: TRUE pwdGraceAuthNLimit: 2 pwdCheckQuality: 1 pwdInHistory: 3 pwdLockoutDuration: 60 pwdMaxFailure: 5 pwdFailureCountInterval: 603 sn: ppdefault_test pwdMaxAge: 120 pwdExpireWarning: 100 description: test pwdMinAge: 1 pwdSafeModify: FALSE
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [test_user@linux_box ~]$ [test_user@linux_box ~]$ cat /etc/pam.d/passwd #%PAM-1.0 auth include system-auth account include system-auth password include system-auth [test_user@linux_box ~]$ [test_user@linux_box ~]$ cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 type=LDAP password sufficient /lib/security/$ISA/pam_unix.so nullok md5 use_authtok shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
Any advise would be much appreciated (I swear this worked when I tested it last March).
Thanks, Joe
_________________________________________________________________ Windows 7: Simplify your PC. Learn more. http://www.microsoft.com/Windows/windows-7/default.aspx?ocid=PID24727::T:WLM...
Joe Friedeggs schrieb:
Debugging this issue has caused me a bit of confusion. In the LDAP logs, when logging into other equipment that 'binds as user', I see warnings, etc. returned:
ppolicy_bind: Setting warning for password expiry for uid=test_user,ou=people,o=theorg,dc=example,dc=net = 1251 secds
BUT, since the Linux LDAP client has a separate 'binddn', I don't see these warnings when the Linux LDAP client does the ldapsearch to validate the user. How does the policy work in this situation?
Am I missing something here?
Hello,
have a look at 'man pam_ldap':
<snip>
pam_lookup_policy <yes|no> Specifies whether to search the root DSE for password policy. The default is "no".
<snap>
Did you set that to yes on your clients in /etc/ldap.conf or what ever it is called on RHEL5?
Regards, Christian Manal
4AE2CC83.8090207@informatik.uni-bremen.de Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0
----------------------------------------
Joe Friedeggs schrieb:
Debugging this issue has caused me a bit of confusion. In the LDAP logs=
=2C when logging into other equipment that 'binds as user'=2C I see warning= s=2C etc. returned:
ppolicy_bind: Setting warning for password expiry for uid=3Dtest_user=2C=
ou=3Dpeople=2Co=3Dtheorg=2Cdc=3Dexample=2Cdc=3Dnet =3D 1251 secds
BUT=2C since the Linux LDAP client has a separate 'binddn'=2C I don't se=
e these warnings when the Linux LDAP client does the ldapsearch to validate= the user. How does the policy work in this situation?
Am I missing something here?
Hello=2C
have a look at 'man pam_ldap':
=20
pam_lookup_policy=20 Specifies whether to search the root DSE for password policy. The defaul=
t is "no".
=20
Did you set that to yes on your clients in /etc/ldap.conf or what ever it is called on RHEL5?
Regards=2C Christian Manal
Thanks for the response=2C Christian.
Yes=2C I have the following in my LDAP clients' /etc/ldap.conf:
host ldap_svc binddn cn=3DsimpleBind=2Co=3Dtheorg=2Cdc=3Dexample=2Cdc=3Dnet bindpw simpleBind bind_timelimit 3 base o=3Dtheorg=2Cdc=3Dexample=2Cdc=3Dnet sudoers_base ou=3Dsudoers=2Co=3Dtheorg=2Cdc=3Dexample=2Cdc=3Dnet timelimit 7 idle_timelimit 3600
nss_base_passwd=A0=A0=A0=A0=A0=A0=A0=A0 ou=3Dpeople=2Co=3Dtheorg=2Cdc=3Dexa= mple=2Cdc=3Dnet?one nss_base_shadow=A0=A0=A0=A0=A0=A0=A0=A0 ou=3Dpeople=2Co=3Dtheorg=2Cdc=3Dexa= mple=2Cdc=3Dnet?one nss_base_group=A0=A0=A0=A0=A0=A0=A0=A0=A0 ou=3Dgroups=2Co=3Dtheorg=2Cdc=3De= xample=2Cdc=3Dnet?one nss_reconnect_tries 3 nss_initgroups_ignoreusers root=2Cldap=2Cnamed=2Chaldaemon=2Cradiusd=2Clinu= x_admin
pam_password md5 pam_groupdn cn=3Dlevel_3=2Cou=3Dhost_ssh_access=2Co=3Dtheorg=2Cdc=3Dexample= =2Cdc=3Dnet pam_member_attribute uniqueMember pam_lookup_policy yes
Thanks=2C John =20 _________________________________________________________________ Windows 7: I wanted more reliable=2C now it's more reliable. Wow! http://microsoft.com/windows/windows-7/default-ga.aspx?h=3Dmyidea?ocid=3DPI= D24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_myidea:102009=
openldap-technical@openldap.org
-
Christian Manal -
Joe Friedeggs