Sorry I forgot to include, but I have pam_lookup_policy yes already set
in ldap.conf.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Jonathan
Barber
Sent: Thursday, January 19, 2006 11:04 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Password history is not being
enforced by the directory server
On Thu, Jan 19, 2006 at 11:01:26AM -0500, Bliss, Aaron wrote:
It appears that this is an issue with the client; if I attempt change
a users password from within fds using a password that I've already
used for that user, I get a warning from fds indicating that it
violates password history rule. However, using passwd from a client
allows usage of old passwords.
PDAL libnss_ldap has another option (present in 2.4.3 at least):
pam_lookup_policy yes
which may be what you need.
Aaron
-----Original Message-----
From: fedora-directory-users-bounces(a)redhat.com
[mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of
Richard Megginson
Sent: Thursday, January 19, 2006 10:59 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Password history is not being
enforced by the directory server
Bliss, Aaron wrote:
>I'm not sure why, but for some reason the directory servers are not
>enforcing password history policies. I've set the policy from within
>the fds console at the data level (as described in directory
server
>documentation).
>
Did you set "Enable fine-grained password policy" under the
Configuration tab -> Data node -> Passwords tab? Because the console
will allow you to configure the fine grained password policy under the
Directory tab even if this is not set, but it will not take effect.
>Here is a sample ldap.conf file:
>
>pam_password exop
>pam_password clear
>pam_password md5
>ssl start_tls
>ssl on
>
>I'm running fds 1.0.1 on a redhat 4 box (actually have 2 directory
>servers, I've set this policy on both servers, supplier consumer
>replication is setup between them.
>
>I've verified that this is not enforced regardless if the client has
>ssl enabled or not.
>
Did you try ldapmodify from the command line to see if the problem is
with FDS or with PAM? e.g.
ldapmodify -D "uid=user,ou=people,dc=company,dc=com" -w
currentpassword
dn: uid=user,ou=people,dc=company,dc=com
changetype: modify
replace: userPassword
userPassword: passwordinhistory
>Please advise as this is a highly critical issue that I must get
>fixed in order to move this into production. Thanks very much.
>
>Aaron
>
>www.preferredcare.org
>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
>Power and Associates
>
>Confidentiality Notice:
>The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information. If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this
information is prohibited. If you have received this communication in
error, please notify the sender immediately by telephone and destroy
the copies you received.
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users(a)redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.
Power and Associates
Confidentiality Notice:
The information contained in this electronic message is intended for
the exclusive
use of the individual or entity named above and may
contain privileged or confidential information. If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited. If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Jonathan Barber
High Performance Computing Analysis
Tel. +44 (0) 1382 86389
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users