[Fedora-directory-users] pam_ldap and password policy
Jeff Falgout
jfalgout at ogov.net
Wed Jun 15 22:38:54 UTC 2005
Jeff Falgout said:
> Brian Peters said:
>> Jeff,<br>
>> <br>
>> I have been able to get this to work with pam_ldap. In fact, it
>> works
>> regardless of the pam_lookup_policy setting. One thing that may be
>> throwing you is how you are resetting the password. According to
>> the
>> docs, only a password reset by the Directory Manager will force the
>> user to change their password on the next bind attempt/login.<br>
>> <br>
>> So before you wrack your brain over your pam/ldap configuration on the
>> client, try logging in to the admin web interface and change the users
>> password as the Directory Manager. Then reauthenticate on the web
>> interface as that user and see if it tells you that you need to change
>> your password. If it doesn't prompt you to change your password,
>> then
>> there is something wrong with your password policy configuration, not
>> pam_ldap.<br>
>> <br>
>> Brian<br>
>> <br>
>
> Thanks Brian -
>
> I didn't think to check the web interface - the password changed IS forced
> after a reset when authenticating to the admin web interface.
>
> I rechecked the RHEL 3 and 4 boxen - the RHEL 3 box DOES enforce the
> password change correctly, but only on the terminal login, not sshd. RHEL
> 4 doesn't work for login or sshd.
>
I updated to the latest openssh and pam on both the RHEL3 and RHEL4 boxes
- sshd and login now both prompt for a password change on the RHEL3 boxes,
but RHEL4 is still broken.
Baby steps . . .
More information about the 389-users
mailing list