[Fedora-directory-users] pam_ldap and password policy

[Jeff Falgout]

Brian Peters said:
> Jeff,<br>
> <br>
> I have been able to get this to work with pam_ldap.&nbsp; In fact, it
> works
> regardless of the pam_lookup_policy setting.&nbsp; One thing that may be
> throwing you is how you are resetting the password.&nbsp; According to the
> docs, only a password reset by the Directory Manager will force the
> user to change their password on the next bind attempt/login.<br>
> <br>
> So before you wrack your brain over your pam/ldap configuration on the
> client, try logging in to the admin web interface and change the users
> password as the Directory Manager.&nbsp; Then reauthenticate on the web
> interface as that user and see if it tells you that you need to change
> your password.&nbsp; If it doesn't prompt you to change your password,
> then
> there is something wrong with your password policy configuration, not
> pam_ldap.<br>
> <br>
> Brian<br>
> <br>

Thanks Brian -

I didn't think to check the web interface - the password changed IS forced
after a reset when authenticating to the admin web interface.

I rechecked the RHEL 3 and 4 boxen - the RHEL 3 box DOES enforce the
password change correctly, but only on the terminal login, not sshd. RHEL
4 doesn't work for login or sshd.