Jeff Medcalf wrote:
I haven't tried this on FDS, but given that it has the same base as
SunONE and the old iPlanet, I would assume it works the same as those
directory servers. In that case, and assuming that you are using
pam_ldap, go ahead and use the password policy: pam_ldap knows about it
and works correctly with it.
I am a little confused on what is actually being used. I see the
following entries in machines here:
Dec 19 09:34:22 XXXXXX sshd: PAM rejected by account
configuration: User account has expired
Dec 19 09:36:21 XXXXXX sshd: nss_ldap: reconnecting to LDAP server...
Dec 19 09:36:21 XXXXXX sshd: nss_ldap: reconnected to LDAP server
after 1 attempt(s)
So I am not sure as to whether pam_ldap or nss_ldap is in use. I guess
they could be one in the same?
and system-auth has:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
So I would think it is pam_ldap.
I am going to double-check the pam config to make sure it is still
Oh, and if you are using the pam_ldap that comes with Solaris, you
might try switching to the open source version: the Sun version is
terribly buggy and horrible.
Will do. The majority are linux clients.
On Dec 16, 2005, at 3:06 PM, Jim Summers wrote:
> Hello List,
> Being in the midst of evaluating and hopefully migrating to FDS
> soon. I have stumbled onto a odd problem.
> My user information is kept in the People container. We have been
> using shadowExpire / shadowLastChange fields.
> This all seems to work except when a user's account is ready to
> expire and is prompted to change their password. Using passwd, the
> user can change the password, but the system continues to prompt for
> a new password upon each successive login.
> Looking at the data, the shadowExpire / LastChange never get
> updated. I am also not seeing any errors being generated in the
> logs. I can manually update those fields and the problem goes away.
> But I guess I thought passwd / nss_ldap / pam would update those
> fields as needed.
> Looking in the docs, all I see is configuring a password policy. But
> that seems to be directed at users actually connecting to the
> directory via console / ldapsearch, etc....
> Initially I thought I was having some ACI issues but I am really not
> sure. It could be that I need to drop the shadow stuff and configure
> the password policy?
> Advice or suggestions on what I am missing or where I have gone wrong?
> Jim Summers
> School of Computer Science-University of Oklahoma
> Fedora-directory-users mailing list
School of Computer Science-University of Oklahoma