Hello List,
I am still troubled with the issue of a users password expiring, they get the messages to change, successfully change password. Then the next time that they login, the password loop begins again.
I searched the archives and didn't really find a solution, but could have sworn that I had seen it solved some time back. The setup I am working with is RHEL4 servers and FDS fedora-ds-1.0.2-1.RHEL4. The clients are mix of fedora versions and RHEL4 machines. Everything works great(authentication, netgroups, autofs, etc...) other than this one issue.
Here are the relevant entries(I think!) from ldap.conf on a client(rhel4):
ssl start_tls ssl on tls_checkpeer no tls_reqcert never tls_cacertfile /usr/share/ssl/certs/ca-bundle.crt tls_cacertdir /usr/share/ssl/certs pam_password crypt pam_lookup_policy yes
The pam.d/system-auth is:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
and the log entry when using ssh to login with shows:
sshd(pam_unix)[4227]: session opened for user
but if I fumble the password it shows:
passwd[4222]: pam_ldap: error trying to bind as user ....
So, like I was several months ago, still stumped on what I have overlooked.
Any ideas or suggestions on what I have overlooked?
Can I find some log entries in the ldap server that may point to what I have mis-configured or not configured?
Many Thanks
I am still troubled with the issue of a users password expiring, they get the messages to change, successfully change password. Then the next time that they login, the password loop begins again.
If you are using shadowAccount objectclass for passwords (versus password policies), I had this same issue until I enable self-write access to the shadowLastChange attribute.
In Directory tab, select root domain
Right click and Select Set Access Permissions Select "Enable self-write for common attributes" and click on Edit Select "Self" and click on Edit Manually button.
After "userPassword", insert "|| shadowLastChange " and click on OK and again on OK on the parent window.
Kyle Tucker wrote:
I am still troubled with the issue of a users password expiring, they get the messages to change, successfully change password. Then the next time that they login, the password loop begins again.
If you are using shadowAccount objectclass for passwords (versus password policies), I had this same issue until I enable self-write access to the shadowLastChange attribute.
In Directory tab, select root domain
Right click and Select Set Access Permissions Select "Enable self-write for common attributes" and click on Edit Select "Self" and click on Edit Manually button.
After "userPassword", insert "|| shadowLastChange " and click on OK and again on OK on the parent window.
That did the trick! Many Thanks!
389-users@lists.fedoraproject.org