On (19/11/14 16:04), Seth Sims wrote:
Hello everyone,
I am trying to get sssd configured with ldap but having a little bit of
trouble. I can successfully authenticate and get all user information and
all that basic jazz. However when I set pwdReset in the user's entry on our
ldap sssd is not prompting the user to reset their password. It's obvious
from the sssd log for the domain (part included below) that sssd sees the
attribute in the password policy control but the message is not making it
back to PAM.
I have also included the config for the domain including some of my
attempts to figure out if this is a configuration issue. Am I missing a
setting? Have I found a bug? Whats going on here?
- Seth
>>>> some Pertinent Versions
CentOS 6
sssd 1.12.2
openldap 2.4.39
>>>>>>>>>>>>>>>>>>>>>>>>
auth-people log
[find_password_expiration_attributes] (0x4000): No password policy
requested.
[simple_bind_send] (0x0100): Executing simple bind as: *****
[simple_bind_send] (0x2000): ldap simple bind sent, msgid = 2
[sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1],
ops[0x1410460], ldap[0x1360050]
[sdap_process_result] (0x2000): Trace: ldap_result found nothing!
[sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1],
ops[0x1410460], ldap[0x1360050]
[sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
[simple_bind_done] (0x2000): Server returned control
[1.3.6.1.4.1.42.2.27.8.5.1].
[simple_bind_done] (0x1000): Password Policy Response: expire [0] grace
[-1] error [Password must be changed].
[simple_bind_done] (0x1000): Password was reset. User must set a new
password.
[simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set
[auth_bind_user_done] (0x4000): Found ppolicy data, assuming LDAP password
policies are active.
[sdap_handle_release] (0x2000): Trace: sh[0x136a340], connected[1],
ops[(nil)], ldap[0x1360050], destructor_lock[0], release_memory[0]
[remove_connection_callback] (0x4000): Successfully removed connection
callback.
[be_pam_handler_callback] (0x0100): Backend returned: (0, 12, <NULL>)
[Success]
[be_pam_handler_callback] (0x0100): Sending result [12][auth-people]
[be_pam_handler_callback] (0x0100): Sent result [12][auth-people]
^^^
That's right pam error code.
From pam header files:
#define PAM_NEW_AUTHTOK_REQD 12 /* New
authentication token required. */
/* This is normally returned if the */
/* machine security policies require */
/* that the password should be changed */
/* beccause the password is NULL or it */
/* has aged */
How did you test? (with ssh or with "su -")
Could you share log files from pam section as well?
/var/log/secure would be helpfull too.
How did you configure pam stack?
LS