|
»
»
« Return to Thread: forced password changes
RE: forced password changes
by r.stricklin
::
Rate this Message:
Folks;
I need to reclassify my problem.
The problem is that somewhere in the auth chain there is an
inappropriate dependence on CRYPT style encrypted passwords. I am not
sure how to track down where.
If I edit /etc/ldap.conf and change 'pam_password' from 'exop' (or
indeed anything) to 'crypt', the expired passwords and forced changes
work correctly.
How can I track down what piece of software is ignoring PAM during the
password change and depending on a CRYPT style password? I'm sure it's
got to be whatever's printing "Old password:" in the session excerpt
quoted below... but what piece is that?
ok
r.
> -----Original Message-----
> From: Stricklin, Raymond J
> Sent: Tuesday, November 25, 2008 11:53 AM
> To: pamldap@...
> Subject: [pamldap] forced password changes
>
>
> Folks;
>
> I am not having much luck making forced password changes work
> with LDAP.
>
>
> I have a working OpenLDAP server providing passwd, shadow,
> and group information to a SuSE SLES10 SP2 client. Things are
> working well: users can log in, can change their own
> passwords using 'passwd', and so on. I want to be able to use
> the 'passwd -e' (or 'chage -E 0') to cause a user to be
> prompted to select a new password the next time he logs in,
> and this is not working correctly.
>
> 'passwd -e' correctly updates LDAP for the user, setting
> 'passwordLastChange: 0', which matches the shadow semantics
> and is expected. When the user logs in the next time, he
> receives a message stating he must change his password, and
> is prompted for his old password. (It'd be nice if it simply
> asked for a new one, but the demonstrated behavior is
> acceptable). However, when the user types his old password in
> at the prompt, it is rejected. If any password is accepted
> here, I have been unable to determine what it is.
>
> wingnut:~ # telnet localhost
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> Welcome to SUSE Linux Enterprise Server 10 SP2 (s390x) -
> Kernel 2.6.16.60-0.21-default (3).
>
> ldc1 login: user
> Password:
> You are required to change your LDAP password immediately.
> Old Password:
>
> Authentication failure
> Connection closed by foreign host.
> wingnut:~ #
>
> This happens repeatably whenever passwordLastChange is set to
> 0 in LDAP for any user. Forced password changes with 'passwd
> -e' still work for any locally defined users (/etc/shadow,
> etc.). I have 'pam_password exop' in ldap.conf, and my PAM
> configuration is more or less equivalent to the following:
>
> account sufficient pam_ldap.so
> account required pam_unix2.so
> auth required pam_env.so
> auth sufficient pam_unix2.so
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
> password required pam_pwcheck.so nullok
> password sufficient pam_ldap.so use_authtok
> password required pam_unix2.so nullok use_authtok
> session required pam_limits.so
> session required pam_unix2.so
> session optional pam_ldap.so
>
> Does this work for anybody? Any ideas what might be going
> wrong, or what I might trace to shed light on the situation?
>
> Thanks;
>
> ok
> r.
>
>
I need to reclassify my problem.
The problem is that somewhere in the auth chain there is an
inappropriate dependence on CRYPT style encrypted passwords. I am not
sure how to track down where.
If I edit /etc/ldap.conf and change 'pam_password' from 'exop' (or
indeed anything) to 'crypt', the expired passwords and forced changes
work correctly.
How can I track down what piece of software is ignoring PAM during the
password change and depending on a CRYPT style password? I'm sure it's
got to be whatever's printing "Old password:" in the session excerpt
quoted below... but what piece is that?
ok
r.
> -----Original Message-----
> From: Stricklin, Raymond J
> Sent: Tuesday, November 25, 2008 11:53 AM
> To: pamldap@...
> Subject: [pamldap] forced password changes
>
>
> Folks;
>
> I am not having much luck making forced password changes work
> with LDAP.
>
>
> I have a working OpenLDAP server providing passwd, shadow,
> and group information to a SuSE SLES10 SP2 client. Things are
> working well: users can log in, can change their own
> passwords using 'passwd', and so on. I want to be able to use
> the 'passwd -e' (or 'chage -E 0') to cause a user to be
> prompted to select a new password the next time he logs in,
> and this is not working correctly.
>
> 'passwd -e' correctly updates LDAP for the user, setting
> 'passwordLastChange: 0', which matches the shadow semantics
> and is expected. When the user logs in the next time, he
> receives a message stating he must change his password, and
> is prompted for his old password. (It'd be nice if it simply
> asked for a new one, but the demonstrated behavior is
> acceptable). However, when the user types his old password in
> at the prompt, it is rejected. If any password is accepted
> here, I have been unable to determine what it is.
>
> wingnut:~ # telnet localhost
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> Welcome to SUSE Linux Enterprise Server 10 SP2 (s390x) -
> Kernel 2.6.16.60-0.21-default (3).
>
> ldc1 login: user
> Password:
> You are required to change your LDAP password immediately.
> Old Password:
>
> Authentication failure
> Connection closed by foreign host.
> wingnut:~ #
>
> This happens repeatably whenever passwordLastChange is set to
> 0 in LDAP for any user. Forced password changes with 'passwd
> -e' still work for any locally defined users (/etc/shadow,
> etc.). I have 'pam_password exop' in ldap.conf, and my PAM
> configuration is more or less equivalent to the following:
>
> account sufficient pam_ldap.so
> account required pam_unix2.so
> auth required pam_env.so
> auth sufficient pam_unix2.so
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
> password required pam_pwcheck.so nullok
> password sufficient pam_ldap.so use_authtok
> password required pam_unix2.so nullok use_authtok
> session required pam_limits.so
> session required pam_unix2.so
> session optional pam_ldap.so
>
> Does this work for anybody? Any ideas what might be going
> wrong, or what I might trace to shed light on the situation?
>
> Thanks;
>
> ok
> r.
>
>
« Return to Thread: forced password changes
| Free embeddable forum powered by Nabble | Forum Help |
