Hello,
I have searched for an appropriate list to post this question and figured this was the
best I could find and apologize in advance
for the wasted bandwidth and chatter. Just point me to the right direction.
I am trying to implement a password policy (i.e. password expiration (max age), password
history, etc) on RHEL 5.
I am kind of at a loss. Is there any plans to add functionality into sssd for RHEL5 that
will give this type of functionality?
See below for details on what I have tried.
I was hoping to use sssd with the backend of OpenLDAP 2.4.26 since this is used
extensively at my organization already.
I tried using the ppolicy overlay from OpenLDAP, but that does not provide any feedback to
the user about pending password
expiration via sssd.
So at the time and date of expiration, the user is unable to login without any prior
warning and is unable to login.
Instead I see the following in /var/log/sssd/sssd_LDAP.log
[sssd[be[LDAP]]] [sdap_control_create] (3): Server does not support the requested
control [1.3.6.1.4.1.42.2.27.8.5.1].
The above apparently is the ldap contral which gives the warning about password
expiration which sssd does not see.
I then attempted to turn on "ldap_pwd_policy = shadow" in /etc/sssd/sssd.conf I
was then unable to change the password
via passwd(1) command.
I see the following:
[testuser@rhel5server ~]$ passwd
Changing password for user testuser.
Current Password:
New UNIX password:
Retype new UNIX password:
passwd: Module is unknown
--------------------------------------
I do not see any warnings or message upon login if testuser account is about to expire.
If I bind as testuser with ppolicy active I get the following (sanitized):
ldapsearch -x -D uid=testuser,ou=People,o=myorg -W -H ldaps://ldaptest.domain.myorg -b
uid=testuser,ou=People,o=myorg -e ppolicy
ldap_bind: Success (0) (Password expired, 2 grace logins remain)
# extended LDIF
#
# LDAPv3
# base <uid=testuser,ou=People,o=myorg> with scope subtree
# filter: (objectclass=*)
# requesting: *
#
# testuser, People, myorg
dn: uid=testuser,ou=People,o=myorg
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
sn: testuser
cn: testUser
gecos: Test User
uidNumber: 5555
gidNumber: 5555
homeDirectory: /home/testuser
loginShell: /bin/bash
shadowLastChange: 14998
shadowExpire: 21917
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 370
shadowInactive: 180
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
--------------------------------------
With ldap_pwd_policy = shadow:
In /var/log/sssd/pam_LDAP.log (sanitized)
[sssd[be[LDAP]]] [check_pwexpire_shadow] (4): Password expired.
[sssd[be[LDAP]]] [sdap_auth4chpass_done] (7): user [uid=testuser,ou=People,o=myorg]
successfully authenticated.
[sssd[be[LDAP]]] [sdap_auth4chpass_done] (1): Changing shadow password attributes not
implemented.
[sssd[be[LDAP]]] [be_pam_handler_callback] (4): Backend returned: (3, 28, <NULL>)
[Internal Error (Module is unknown)]
[sssd[be[LDAP]]] [be_pam_handler_callback] (4): Sending result [28][LDAP]
----------------------------------------
I am running rhel5:
rpm -qa sssd\*
sssd-1.5.1-37.el5
sssd-client-1.5.1-37.el5
--------------------------------------
My /etc/sssd/sssd.conf (sanitized):
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 600
[pam]
reconnection_retries = 3
[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
access_provider = permit
ldap_schema = rfc2307
ldap_uri = ldaps://ldaptest.domain.myorg
ldap_search_base = o=myorg
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
cache_credentials = true
enumerate = true
ldap_default_bind_dn = cn=testsa,ou=Manager,o=myorg
ldap_default_authtok_type = password
ldap_default_authtok = <secret>
ldap_user_search_base = ou=People,o=myorg
ldap_user_object_class = posixAccount
ldap_user_uuid = entryUUID
ldap_group_search_base = ou=Group,o=myorg
ldap_netgroup_search_base = ou=Netgroup,o=myorg
entry_cache_timeout = 60
ldap_pwd_policy = shadow
---------
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
account required pam_access.so accessfile=/etc/security/access-sssd.conf
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session required pam_mkhomedir.so umask=0077 skel=/etc/skel/
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
---------
Any plans to update sssd to either support shadow attribute updates?
I read in the sssd-ldap man
"shadow - Use shadow(5) style attributes to evaluate if the password has expired.
Note that the current version of
sssd cannot update this attribute during a password change."
Any plans to update sssd for RHEL5 to support "Controls used for Password
Policy" found in
http://tools.ietf.org/html/draft-behera-ldap-password-policy-07.
I can provide more information upon request.
Any help with this would be greatly appreciated.
Thanks in advance,
-Eric