# cd config/schema
# grep -i passwordexpirationtime *
00core.ldif:attributeTypes: ( 2.16.840.1.113730.3.1.91 NAME
'passwordExpirationTime' DESC 'Sun ONE defined password policy attribute
type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE USAGE directoryOperation
X-DS-USE 'internal' X-ORIGIN 'Sun ONE Directory Server' )
00core.ldif:objectClasses: ( 2.16.840.1.113730.3.2.12 NAME 'passwordObject' DESC
'Sun ONE defined password policy objectclass' SUP top AUXILIARY MAY (
passwordExpirationTime $ passwordExpWarned $ passwordRetryCount $ retryCountResetTime $
accountUnlockTime $ passwordHistory $ passwordAllowChangeTime ) X-DS-USE
'internal' X-ORIGIN 'Sun ONE Directory Server' )
#
I am not sure if FDS 1.0.2 provides the "passwordexpirationtime" attribute, just
like SUN DS5.2, if so, pls read:
http://docs.sun.com/app/docs/doc/817-0962/6mgnp4m9s?a=view
...
Configuring the Directory Server to Enable Password Management
See the “User Account Management” chapter in the Sun ONE Directory Server 5.1
Administrator's Guide for how to use the Directory Server Console or ldapmodify to
configure the password management policy for the LDAP directory. In order for pam_ldap to
work properly, the password and account lockout policy must be properly configured on the
server.
Passwords for proxy users should never be allowed to expire. If proxy passwords expire,
clients using the proxy credential level cannot retrieve naming service information from
the server. To ensure that proxy users have passwords that do not expire, modify the proxy
accounts with the following script.
# ldapmodify -h ldapserver —D administrator DN \
-w administrator password <<EOF
dn: proxy user DN
DNchangetype: modify
replace: passwordexpirationtime
passwordexpirationtime: 20380119031407Z
EOF
_____
Note –
pam_ldap password management relies on Sun ONE Directory Server 5.1 to maintain and
provide password aging and account expiration information for users. The directory server
does not interpret the corresponding data from shadow entries to validate user accounts.
pam_unix, however, examines the shadow data to determine if accounts are locked or if
passwords are aged. Since the shadow data is not kept up to date by the LDAP naming
services or the directory server, pam_unix should not grant access based on the shadow
data. The shadow data is retrieved using the proxy identity. Therefore, do not allow proxy
users to have read access to the userPassword Attribute. Denying proxy users read access
to userPassword prevents pam_unix from making an invalid account validation.
...
The above may not be applicable if FDS 1.0.2. Password Policy features are NOT identical
to SUN DS5.2.
Gary
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com on behalf of Jo De Troy
Sent: Tue 5/16/2006 11:19 PM
To: fedora-directory-users(a)redhat.com
Cc:
Subject: [Fedora-directory-users] Solaris9 client problems / questions
Hello,
I have setup a Solaris9 server as LDAP client to FedoraDS 1.0.2 on CentOS4. (I have
followed the Solaris client howto and the documentation on
http://web.singnet.com.sg/~garyttt/ )
Every few minutes the proxyagent, that is used to connect from Solaris to the LDAP
server, gets locked out, I have a global pwdpolicy that enables lockouts after 3 login
failures. After this account gets locked out I cannot connect any more [ldaplist returns
Object not found (Session error no available conn.) ] If I delete the accountunlocktime
attribute of the proxyagent I'm back in business. Is there a way to stop the locking
of this account? I've tried to setup a special pwdpolicy for the proxyagent, without
success.
Secondly I don't see how I can get TLS working, in the Solaris client howto document
it's written to start up netscape and connect to
http://ldapserver:636 to somehow get
the certifcates for the Solaris client. I must be doing something wrong, since this just
doesn't work. Is there another way of getting the required certificates on the Solaris
client? I guess I only need the CA certificates on the Solaris client or not?
Best Regards,
Jo