[Fedora-directory-users] Linux password change/expiration issue

Kyle Tucker kylet at panix.com
Wed Nov 1 13:25:33 UTC 2006 

Hi,
        I am trying to get password expiration to work on FC5/FDS 1.0.2
and having mixed results. I have set a user's shadowAccount attributes
as expired using the following values (with today being 13452):

shadowFlag: 0
shadowExpire: -1
shadowInactive: -1
shadowWarning: 0
shadowMax: 1
shadowMin: 1
shadowLastChange: 13452

All seems well when I log in.

You are required to change your LDAP password immediately.
Last login: Wed Nov  1 07:51:14 2006 from lin1000
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user fjones.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information changed for fjones
passwd: all authentication tokens updated successfully.
Connection to lin2600 closed.

Except I get booted off and this is the /var/log/secure  

Nov  1 07:55:18 lin2600 passwd: pam_unix(passwd:chauthtok): user "fjones" does not exist in /etc/passwd 
Nov  1 07:55:29 lin2600 passwd: pam_unix(passwd:chauthtok): user "fjones" does not exist in /etc/passwd 
Nov  1 07:55:29 lin2600 sshd[17557]: pam_unix(sshd:session): session closed for user fjones

Attempts to log in again accept the new password, which has changed in LDAP,
but I am asked to go through the same loop of changing the password again. 
The shadow* attributes are NOT changed however. So that's either my culprit 
or maybe the PAM password entries are not right. That looks like this:

password    requisite     pam_cracklib.so try_first_pass retry=3 password    
sufficient  pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

Finally, at the end of this document:

(http://directory.fedora.redhat.com/wiki/Howto:PAM)

It says to add the following to enable password expirations.

dn: cn=config
changetype: modify
add: passwordExp
passwordExp: on
-
add: passwordMaxAge
passwordMaxAge: 8640000

But my other tests seem to indicate some parts of expiration in fact
work. Is the above entry neccessary?

Thanks so much.

-- 
- Kyle 
---------------------------------------------
kylet at panix.com   http://www.panix.com/~kylet    
---------------------------------------------

More information about the 389-users mailing list