Re: [Fedora-directory-users] ShadowPassword / ShadowExpire

Jeff Medcalf wrote: > Jim, > > I haven't tried this on FDS, but given that it has the same base as > SunONE and the old iPlanet, I would assume it works the same as those > directory servers. In that case, and assuming that you are using > pam_ldap, go ahead and use the password policy: pam_ldap knows about > it and works correctly with it. I am a little confused on what is actually being used. I see the following entries in machines here: ========================================= Dec 19 09:34:22 XXXXXX sshd[14463]: PAM rejected by account configuration[13]: User account has expired Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnecting to LDAP server... Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnected to LDAP server after 1 attempt(s) ========================================= So I am not sure as to whether pam_ldap or nss_ldap is in use. I guess they could be one in the same? and system-auth has: ====================================== auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so ====================================== So I would think it is pam_ldap. I am going to double-check the pam config to make sure it is still following recommendations. > > Oh, and if you are using the pam_ldap that comes with Solaris, you > might try switching to the open source version: the Sun version is > terribly buggy and horrible. Will do. The majority are linux clients. > > On Dec 16, 2005, at 3:06 PM, Jim Summers wrote: > >> Hello List, >> >> Being in the midst of evaluating and hopefully migrating to FDS >> soon. I have stumbled onto a odd problem. >> >> My user information is kept in the People container. We have been >> using shadowExpire / shadowLastChange fields. >> >> This all seems to work except when a user's account is ready to >> expire and is prompted to change their password. Using passwd, the >> user can change the password, but the system continues to prompt for >> a new password upon each successive login. >> >> Looking at the data, the shadowExpire / LastChange never get >> updated. I am also not seeing any errors being generated in the >> logs. I can manually update those fields and the problem goes >> away. But I guess I thought passwd / nss_ldap / pam would update >> those fields as needed. >> >> Looking in the docs, all I see is configuring a password policy. >> But that seems to be directed at users actually connecting to the >> directory via console / ldapsearch, etc.... >> >> Initially I thought I was having some ACI issues but I am really not >> sure. It could be that I need to drop the shadow stuff and >> configure the password policy? >> >> Advice or suggestions on what I am missing or where I have gone wrong? >> >> >> TIA >> -- >> Jim Summers >> School of Computer Science-University of Oklahoma >> ------------------------------------------------- >> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users(a)redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users > > > > -- > Jeff Medcalf > jeff(a)caerdroia.org > >