[Fedora-directory-users] Ubuntu not enforcing password policies

Nalin Dahyabhai nalin at redhat.com
Mon Dec 1 18:36:24 UTC 2008 

On Fri, Nov 28, 2008 at 12:49:11AM -0500, John A. Sullivan III wrote:
> Hello, all.  We're continuing to dive ever deeper into DS.  Our thanks
> to the developers for such a powerful product.
> 
> Our integration with the RedHat family has gone well but now we're
> working on Ubuntu.  Most is working well but we are finding Ubuntu is
> not enforcing password policies.  For example, we require a user to
> change their password after a reset.  When a user logs into a RedHat
> system, they are prompted for the change.  However, Ubuntu just lets
> them right in again and again with the same reset password.
> 
> Any pointers on what to look for to fix this in our configuration before
> we scour the world for a solution? We've already done quite a bit of
> googling.
> 
> We've tried enabling pam_lookup_policy but that didn't
> work.  /etc/pam.d/common-password reads:
> 
> password        requisite                       pam_cracklib.so retry=3 minlen=8 difok=3
> password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
> password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
> # here's the fallback if no module succeeds
> password        requisite                       pam_deny.so
> 
> # prime the stack with a positive return value if there isn't one already;
> # this avoids us returning an error just because nothing sets a success code
> # since the modules above will each just jump around
> password        required                        pam_permit.so
> 
> We've also tried disabling that last pam_permit.so.  That didn't help.  Where should we look? Thanks - John

When using PAM, the calling application "knows" that the user's password
needs to be changed because the account management modules signal it, so
you'll want to check the "account" portions of the PAM configuration.

Specifically, you want to ensure that pam_ldap.so is being used, and
that some other module isn't causing the account management function to
return a success code before pam_ldap.so gets a chance to check on the
user's account and return a password-needs-changing code.

Just a guess, but going on what I get on my Fedora system, it might look
something like this:

  account required pam_unix.so
  account sufficient pam_succeed_if.so uid < 500 quiet
  account [[default=bad success=ok user_unknown=ignore] pam_ldap.so
  account required pam_permit.so

HTH,

Nalin

More information about the 389-users mailing list