|
»
»
« Return to Thread: Ppolicy:pwdMustChange TRUE does not force User to change his Password
Ppolicy:pwdMustChange TRUE does not force User to change his Password
by Axel Werner
::
Rate this Message:
Hi anybody!
i use ppolicy overlay to enforce password policy to my ldap user
objects. i also use pam_ldap and libnss-ldap on client side so the linux
client can authenticate and also work with the password-policy thingies
like expiration and stuff. it works well with one exception:
It seems that some component on the Client side does not work well on
that "User Must Change Password after administrative Password Reset"
Topic. In Fact, that User is still able to login (as usual) and IS NOT
FORCED to change his Password the moment he logs in. In another Case,
say if the users password expires the common way that User IS BEING
FORCED to change his PW the moment he logs in. But it wont do that way
if his PW is just "Reset by Admin".
My slap.conf contains pwdMustChange:true
my Users LDAP Account contains the "pwdReset TRUE" attribute too
If the User now logs on, he will get ONE ADDITIONAL LINE OF TEXT saying
„Change After Reset“ to his console. Anything else is just as usual. No
enforcing at all.
So why that ?! Shouldnt there be a Promt requesting the User to enter
his new password ?!?
I searched tons of Docs and Manuals and squeezed Google for days. No
luck yet.. Would you Help?
see config files down that mail.
regards
Axel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# libnss-ldap.conf | cat -s
@(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
base dc=org
uri ldap://server
ldap_version 3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# pam_ldap.conf | cat -s
base dc=org
uri ldap://server
ldap_version 3
pam_password clear
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# nsswitch.conf | cat -s
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# ldap.conf | cat -s
BASE dc=org
URI ldap://server
SIZELIMIT 0
TIMELIMIT 15
TLS_CACERTDIR /etc/ssl/certs/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# slapd.conf | cat -s
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload refint
moduleload unique
moduleload ppolicy
sizelimit 500
tool-threads 1
backend bdb
checkpoint 512 30
database bdb
suffix "dc=org"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
rootdn "cn=manager,dc=org"
rootpw ldap
index objectClass eq
index cn eq,sub
password-hash {SHA}
lastmod on
overlay refint
refint_attributes member uniqueMember seeAlso
refint_nothing cn=EMPTY
overlay unique
unique_base dc=org
unique_attributes uid mail
overlay ppolicy
ppolicy_default cn=Standard,ou=pPolicies,dc=org
ppolicy_use_lockout
ppolicy_hash_cleartext
access to attrs=userPassword,shadowLastChange,pwdHistory
by dn="uid=admin,dc=org" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="uid=admin,dc=org" write
by * read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
i use ppolicy overlay to enforce password policy to my ldap user
objects. i also use pam_ldap and libnss-ldap on client side so the linux
client can authenticate and also work with the password-policy thingies
like expiration and stuff. it works well with one exception:
It seems that some component on the Client side does not work well on
that "User Must Change Password after administrative Password Reset"
Topic. In Fact, that User is still able to login (as usual) and IS NOT
FORCED to change his Password the moment he logs in. In another Case,
say if the users password expires the common way that User IS BEING
FORCED to change his PW the moment he logs in. But it wont do that way
if his PW is just "Reset by Admin".
My slap.conf contains pwdMustChange:true
my Users LDAP Account contains the "pwdReset TRUE" attribute too
If the User now logs on, he will get ONE ADDITIONAL LINE OF TEXT saying
„Change After Reset“ to his console. Anything else is just as usual. No
enforcing at all.
So why that ?! Shouldnt there be a Promt requesting the User to enter
his new password ?!?
I searched tons of Docs and Manuals and squeezed Google for days. No
luck yet.. Would you Help?
see config files down that mail.
regards
Axel
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# libnss-ldap.conf | cat -s
@(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
base dc=org
uri ldap://server
ldap_version 3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# pam_ldap.conf | cat -s
base dc=org
uri ldap://server
ldap_version 3
pam_password clear
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# nsswitch.conf | cat -s
passwd: compat ldap
group: compat ldap
shadow: compat ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# ldap.conf | cat -s
BASE dc=org
URI ldap://server
SIZELIMIT 0
TIMELIMIT 15
TLS_CACERTDIR /etc/ssl/certs/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# slapd.conf | cat -s
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/ppolicy.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload refint
moduleload unique
moduleload ppolicy
sizelimit 500
tool-threads 1
backend bdb
checkpoint 512 30
database bdb
suffix "dc=org"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
rootdn "cn=manager,dc=org"
rootpw ldap
index objectClass eq
index cn eq,sub
password-hash {SHA}
lastmod on
overlay refint
refint_attributes member uniqueMember seeAlso
refint_nothing cn=EMPTY
overlay unique
unique_base dc=org
unique_attributes uid mail
overlay ppolicy
ppolicy_default cn=Standard,ou=pPolicies,dc=org
ppolicy_use_lockout
ppolicy_hash_cleartext
access to attrs=userPassword,shadowLastChange,pwdHistory
by dn="uid=admin,dc=org" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="uid=admin,dc=org" write
by * read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
« Return to Thread: Ppolicy:pwdMustChange TRUE does not force User to change his Password
| Free embeddable forum powered by Nabble | Forum Help |
