[389-users] sshd/pam_ldap not honoring passwordMustChange
Aaron Hagopian
airhead1 at gmail.com
Wed Jun 15 17:21:19 UTC 2011
I have not seen or used the passwordMustChange attribute before but I can
tell you that if you set the passwordExpirationTime as following:
passwordExpirationTime: 19700101000000Z
It should force the user to change their password on their next login. Keep
in mind you will not get a prompt if use use a passwordless ssh login via
rsa key exchange.
Hope that helps.
Thanks,
Aaron
On Tue, Jun 14, 2011 at 5:03 PM, David Barr <dafydd at dafydd.com> wrote:
> I know this is outside the scope of the 389 list, but my Google-fu is
> failing me on this one.
>
> If I change the password to the account on the LDAP server and verify
> "passwordmustchange: on," I can ssh in to the test host with the new
> password all day long, and never get asked to change it.
>
> I'm hoping someone has seen a document recently that they could link to.
> I've seen the "PAM Configuration for LDAP Client Systems" page on the
> wiki. That deals more with setting password expiration, though.
>
> Thanks!
> David
>
> --
> David - Offbeat http://dafydd.livejournal.com
> dafydd - Online http://pgp.mit.edu/
> Battalion 4 - Black Rock City Emergency Services Department
> Integrity*Commitment*Communication*Support
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110615/6e61b471/attachment.html>
More information about the 389-users
mailing list