[Fedora-directory-users] ShadowPassword / ShadowExpire
Jim Summers
jsummers at bachman.cs.ou.edu
Mon Dec 19 16:16:53 UTC 2005
I am pretty sure I found the solution here:
http://directory.fedora.redhat.com/wiki/Howto:PAM
Towards the bottom it mentions a couple of ldap.conf entries that are
necessary along with activating the pw policy.
Will post if any oddness is discovered.
Thanks!
--jim
Jim Summers wrote:
>
>
> Jeff Medcalf wrote:
>
>> Jim,
>>
>> I haven't tried this on FDS, but given that it has the same base as
>> SunONE and the old iPlanet, I would assume it works the same as those
>> directory servers. In that case, and assuming that you are using
>> pam_ldap, go ahead and use the password policy: pam_ldap knows about
>> it and works correctly with it.
>
>
> I am a little confused on what is actually being used. I see the
> following entries in machines here:
> =========================================
> Dec 19 09:34:22 XXXXXX sshd[14463]: PAM rejected by account
> configuration[13]: User account has expired
> Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnecting to LDAP
> server...
> Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnected to LDAP server
> after 1 attempt(s)
> =========================================
>
> So I am not sure as to whether pam_ldap or nss_ldap is in use. I guess
> they could be one in the same?
>
> and system-auth has:
> ======================================
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
> ======================================
>
> So I would think it is pam_ldap.
>
> I am going to double-check the pam config to make sure it is still
> following recommendations.
>
>>
>> Oh, and if you are using the pam_ldap that comes with Solaris, you
>> might try switching to the open source version: the Sun version is
>> terribly buggy and horrible.
>
>
> Will do. The majority are linux clients.
>
>>
>> On Dec 16, 2005, at 3:06 PM, Jim Summers wrote:
>>
>>> Hello List,
>>>
>>> Being in the midst of evaluating and hopefully migrating to FDS
>>> soon. I have stumbled onto a odd problem.
>>>
>>> My user information is kept in the People container. We have been
>>> using shadowExpire / shadowLastChange fields.
>>>
>>> This all seems to work except when a user's account is ready to
>>> expire and is prompted to change their password. Using passwd, the
>>> user can change the password, but the system continues to prompt for
>>> a new password upon each successive login.
>>>
>>> Looking at the data, the shadowExpire / LastChange never get
>>> updated. I am also not seeing any errors being generated in the
>>> logs. I can manually update those fields and the problem goes
>>> away. But I guess I thought passwd / nss_ldap / pam would update
>>> those fields as needed.
>>>
>>> Looking in the docs, all I see is configuring a password policy.
>>> But that seems to be directed at users actually connecting to the
>>> directory via console / ldapsearch, etc....
>>>
>>> Initially I thought I was having some ACI issues but I am really not
>>> sure. It could be that I need to drop the shadow stuff and
>>> configure the password policy?
>>>
>>> Advice or suggestions on what I am missing or where I have gone wrong?
>>>
>>>
>>> TIA
>>> --
>>> Jim Summers
>>> School of Computer Science-University of Oklahoma
>>> -------------------------------------------------
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>> --
>> Jeff Medcalf
>> jeff at caerdroia.org
>>
>>
>
--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------
More information about the 389-users
mailing list