Towards the bottom it mentions a couple of ldap.conf entries that are
necessary along with activating the pw policy.
Will post if any oddness is discovered.
Thanks!
--jim
Jim Summers wrote:
Jeff Medcalf wrote:
> Jim,
>
> I haven't tried this on FDS, but given that it has the same base as
> SunONE and the old iPlanet, I would assume it works the same as those
> directory servers. In that case, and assuming that you are using
> pam_ldap, go ahead and use the password policy: pam_ldap knows about
> it and works correctly with it.
I am a little confused on what is actually being used. I see the
following entries in machines here:
=========================================
Dec 19 09:34:22 XXXXXX sshd[14463]: PAM rejected by account
configuration[13]: User account has expired
Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnecting to LDAP
server...
Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnected to LDAP server
after 1 attempt(s)
=========================================
So I am not sure as to whether pam_ldap or nss_ldap is in use. I guess
they could be one in the same?
and system-auth has:
======================================
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
======================================
So I would think it is pam_ldap.
I am going to double-check the pam config to make sure it is still
following recommendations.
>
> Oh, and if you are using the pam_ldap that comes with Solaris, you
> might try switching to the open source version: the Sun version is
> terribly buggy and horrible.
Will do. The majority are linux clients.
>
> On Dec 16, 2005, at 3:06 PM, Jim Summers wrote:
>
>> Hello List,
>>
>> Being in the midst of evaluating and hopefully migrating to FDS
>> soon. I have stumbled onto a odd problem.
>>
>> My user information is kept in the People container. We have been
>> using shadowExpire / shadowLastChange fields.
>>
>> This all seems to work except when a user's account is ready to
>> expire and is prompted to change their password. Using passwd, the
>> user can change the password, but the system continues to prompt for
>> a new password upon each successive login.
>>
>> Looking at the data, the shadowExpire / LastChange never get
>> updated. I am also not seeing any errors being generated in the
>> logs. I can manually update those fields and the problem goes
>> away. But I guess I thought passwd / nss_ldap / pam would update
>> those fields as needed.
>>
>> Looking in the docs, all I see is configuring a password policy.
>> But that seems to be directed at users actually connecting to the
>> directory via console / ldapsearch, etc....
>>
>> Initially I thought I was having some ACI issues but I am really not
>> sure. It could be that I need to drop the shadow stuff and
>> configure the password policy?
>>
>> Advice or suggestions on what I am missing or where I have gone wrong?
>>
>>
>> TIA
>> --
>> Jim Summers
>> School of Computer Science-University of Oklahoma
>> -------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users(a)redhat.com
>>
https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
> --
> Jeff Medcalf
> jeff(a)caerdroia.org
>
>
--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------