[Fedora-directory-users] pam_ldap and password policy

[Jeff Falgout]

Jeff Falgout said:
> Brian Peters said:
>> Jeff,<br>
>> <br>
>> I have been able to get this to work with pam_ldap.&nbsp; In fact, it
>> works
>> regardless of the pam_lookup_policy setting.&nbsp; One thing that may be
>> throwing you is how you are resetting the password.&nbsp; According to
>> the
>> docs, only a password reset by the Directory Manager will force the
>> user to change their password on the next bind attempt/login.<br>
>> <br>
>> So before you wrack your brain over your pam/ldap configuration on the
>> client, try logging in to the admin web interface and change the users
>> password as the Directory Manager.&nbsp; Then reauthenticate on the web
>> interface as that user and see if it tells you that you need to change
>> your password.&nbsp; If it doesn't prompt you to change your password,
>> then
>> there is something wrong with your password policy configuration, not
>> pam_ldap.<br>
>> <br>
>> Brian<br>
>> <br>
>
> Thanks Brian -
>
> I didn't think to check the web interface - the password changed IS forced
> after a reset when authenticating to the admin web interface.
>
> I rechecked the RHEL 3 and 4 boxen - the RHEL 3 box DOES enforce the
> password change correctly, but only on the terminal login, not sshd. RHEL
> 4 doesn't work for login or sshd.
>

I updated to the latest openssh and pam on both the RHEL3 and RHEL4 boxes
- sshd and login now both prompt for a password change on the RHEL3 boxes,
but RHEL4 is still broken.

Baby steps . . .