[Fedora-directory-users] Linux password change/expiration issue
Kyle Tucker
kylet at panix.com
Wed Nov 1 13:25:33 UTC 2006
Hi,
I am trying to get password expiration to work on FC5/FDS 1.0.2
and having mixed results. I have set a user's shadowAccount attributes
as expired using the following values (with today being 13452):
shadowFlag: 0
shadowExpire: -1
shadowInactive: -1
shadowWarning: 0
shadowMax: 1
shadowMin: 1
shadowLastChange: 13452
All seems well when I log in.
You are required to change your LDAP password immediately.
Last login: Wed Nov 1 07:51:14 2006 from lin1000
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user fjones.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information changed for fjones
passwd: all authentication tokens updated successfully.
Connection to lin2600 closed.
Except I get booted off and this is the /var/log/secure
Nov 1 07:55:18 lin2600 passwd: pam_unix(passwd:chauthtok): user "fjones" does not exist in /etc/passwd
Nov 1 07:55:29 lin2600 passwd: pam_unix(passwd:chauthtok): user "fjones" does not exist in /etc/passwd
Nov 1 07:55:29 lin2600 sshd[17557]: pam_unix(sshd:session): session closed for user fjones
Attempts to log in again accept the new password, which has changed in LDAP,
but I am asked to go through the same loop of changing the password again.
The shadow* attributes are NOT changed however. So that's either my culprit
or maybe the PAM password entries are not right. That looks like this:
password requisite pam_cracklib.so try_first_pass retry=3 password
sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
Finally, at the end of this document:
(http://directory.fedora.redhat.com/wiki/Howto:PAM)
It says to add the following to enable password expirations.
dn: cn=config
changetype: modify
add: passwordExp
passwordExp: on
-
add: passwordMaxAge
passwordMaxAge: 8640000
But my other tests seem to indicate some parts of expiration in fact
work. Is the above entry neccessary?
Thanks so much.
--
- Kyle
---------------------------------------------
kylet at panix.com http://www.panix.com/~kylet
---------------------------------------------
More information about the 389-users
mailing list