|
»
»
« Return to Thread: forced password changes
RE: forced password changes
by r.stricklin
::
Rate this Message:
Again...
After looking at the source (pam_ldap.c) I discovered that the pam_ldap
documentation is a little misleading with regard to the equivalence of
use_authtok and use_first_pass, so I decided to try tweaking pam.conf
some more. I found that changing this:
password sufficient pam_ldap.so use_authtok
to this:
password sufficient pam_ldap.so try_first_pass
causes the "Old password:" prompt to appear just as it has been, only
now authentication succeeds, and the forced password change works
correctly without requiring 'pam_password crypt' set in /etc/ldap.conf.
Can somebody who understands pam_ldap better than I do explain why that
should have made the difference? Demonstrably, it works, but I am at a
loss to explain why.
ok
r.
> -----Original Message-----
> From: Stricklin, Raymond J
> Sent: Wednesday, November 26, 2008 3:06 PM
> To: pamldap@...
> Subject: RE: [pamldap] forced password changes
>
> Folks;
>
> I need to reclassify my problem.
>
> The problem is that somewhere in the auth chain there is an
> inappropriate dependence on CRYPT style encrypted passwords.
> I am not sure how to track down where.
>
> If I edit /etc/ldap.conf and change 'pam_password' from
> 'exop' (or indeed anything) to 'crypt', the expired passwords
> and forced changes work correctly.
>
> How can I track down what piece of software is ignoring PAM
> during the password change and depending on a CRYPT style
> password? I'm sure it's got to be whatever's printing "Old
> password:" in the session excerpt quoted below... but what
> piece is that?
>
> ok
> r.
>
> > -----Original Message-----
> > From: Stricklin, Raymond J
> > Sent: Tuesday, November 25, 2008 11:53 AM
> > To: pamldap@...
> > Subject: [pamldap] forced password changes
> >
> >
> > Folks;
> >
> > I am not having much luck making forced password changes work with
> > LDAP.
> >
> >
> > I have a working OpenLDAP server providing passwd, shadow,
> and group
> > information to a SuSE SLES10 SP2 client. Things are working well:
> > users can log in, can change their own passwords using
> 'passwd', and
> > so on. I want to be able to use the 'passwd -e' (or 'chage
> -E 0') to
> > cause a user to be prompted to select a new password the
> next time he
> > logs in, and this is not working correctly.
> >
> > 'passwd -e' correctly updates LDAP for the user, setting
> > 'passwordLastChange: 0', which matches the shadow semantics and is
> > expected. When the user logs in the next time, he receives
> a message
> > stating he must change his password, and is prompted for his old
> > password. (It'd be nice if it simply asked for a new one, but the
> > demonstrated behavior is acceptable). However, when the
> user types his
> > old password in at the prompt, it is rejected. If any password is
> > accepted here, I have been unable to determine what it is.
> >
> > wingnut:~ # telnet localhost
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > Welcome to SUSE Linux Enterprise Server 10 SP2 (s390x) - Kernel
> > 2.6.16.60-0.21-default (3).
> >
> > ldc1 login: user
> > Password:
> > You are required to change your LDAP password immediately.
> > Old Password:
> >
> > Authentication failure
> > Connection closed by foreign host.
> > wingnut:~ #
> >
> > This happens repeatably whenever passwordLastChange is set to 0 in
> > LDAP for any user. Forced password changes with 'passwd -e'
> still work
> > for any locally defined users (/etc/shadow, etc.). I have
> > 'pam_password exop' in ldap.conf, and my PAM configuration
> is more or
> > less equivalent to the following:
> >
> > account sufficient pam_ldap.so
> > account required pam_unix2.so
> > auth required pam_env.so
> > auth sufficient pam_unix2.so
> > auth sufficient pam_ldap.so use_first_pass
> > auth required pam_deny.so
> > password required pam_pwcheck.so nullok
> > password sufficient pam_ldap.so use_authtok
> > password required pam_unix2.so nullok use_authtok
> > session required pam_limits.so
> > session required pam_unix2.so
> > session optional pam_ldap.so
> >
> > Does this work for anybody? Any ideas what might be going wrong, or
> > what I might trace to shed light on the situation?
> >
> > Thanks;
> >
> > ok
> > r.
> >
> >
>
>
After looking at the source (pam_ldap.c) I discovered that the pam_ldap
documentation is a little misleading with regard to the equivalence of
use_authtok and use_first_pass, so I decided to try tweaking pam.conf
some more. I found that changing this:
password sufficient pam_ldap.so use_authtok
to this:
password sufficient pam_ldap.so try_first_pass
causes the "Old password:" prompt to appear just as it has been, only
now authentication succeeds, and the forced password change works
correctly without requiring 'pam_password crypt' set in /etc/ldap.conf.
Can somebody who understands pam_ldap better than I do explain why that
should have made the difference? Demonstrably, it works, but I am at a
loss to explain why.
ok
r.
> -----Original Message-----
> From: Stricklin, Raymond J
> Sent: Wednesday, November 26, 2008 3:06 PM
> To: pamldap@...
> Subject: RE: [pamldap] forced password changes
>
> Folks;
>
> I need to reclassify my problem.
>
> The problem is that somewhere in the auth chain there is an
> inappropriate dependence on CRYPT style encrypted passwords.
> I am not sure how to track down where.
>
> If I edit /etc/ldap.conf and change 'pam_password' from
> 'exop' (or indeed anything) to 'crypt', the expired passwords
> and forced changes work correctly.
>
> How can I track down what piece of software is ignoring PAM
> during the password change and depending on a CRYPT style
> password? I'm sure it's got to be whatever's printing "Old
> password:" in the session excerpt quoted below... but what
> piece is that?
>
> ok
> r.
>
> > -----Original Message-----
> > From: Stricklin, Raymond J
> > Sent: Tuesday, November 25, 2008 11:53 AM
> > To: pamldap@...
> > Subject: [pamldap] forced password changes
> >
> >
> > Folks;
> >
> > I am not having much luck making forced password changes work with
> > LDAP.
> >
> >
> > I have a working OpenLDAP server providing passwd, shadow,
> and group
> > information to a SuSE SLES10 SP2 client. Things are working well:
> > users can log in, can change their own passwords using
> 'passwd', and
> > so on. I want to be able to use the 'passwd -e' (or 'chage
> -E 0') to
> > cause a user to be prompted to select a new password the
> next time he
> > logs in, and this is not working correctly.
> >
> > 'passwd -e' correctly updates LDAP for the user, setting
> > 'passwordLastChange: 0', which matches the shadow semantics and is
> > expected. When the user logs in the next time, he receives
> a message
> > stating he must change his password, and is prompted for his old
> > password. (It'd be nice if it simply asked for a new one, but the
> > demonstrated behavior is acceptable). However, when the
> user types his
> > old password in at the prompt, it is rejected. If any password is
> > accepted here, I have been unable to determine what it is.
> >
> > wingnut:~ # telnet localhost
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > Welcome to SUSE Linux Enterprise Server 10 SP2 (s390x) - Kernel
> > 2.6.16.60-0.21-default (3).
> >
> > ldc1 login: user
> > Password:
> > You are required to change your LDAP password immediately.
> > Old Password:
> >
> > Authentication failure
> > Connection closed by foreign host.
> > wingnut:~ #
> >
> > This happens repeatably whenever passwordLastChange is set to 0 in
> > LDAP for any user. Forced password changes with 'passwd -e'
> still work
> > for any locally defined users (/etc/shadow, etc.). I have
> > 'pam_password exop' in ldap.conf, and my PAM configuration
> is more or
> > less equivalent to the following:
> >
> > account sufficient pam_ldap.so
> > account required pam_unix2.so
> > auth required pam_env.so
> > auth sufficient pam_unix2.so
> > auth sufficient pam_ldap.so use_first_pass
> > auth required pam_deny.so
> > password required pam_pwcheck.so nullok
> > password sufficient pam_ldap.so use_authtok
> > password required pam_unix2.so nullok use_authtok
> > session required pam_limits.so
> > session required pam_unix2.so
> > session optional pam_ldap.so
> >
> > Does this work for anybody? Any ideas what might be going wrong, or
> > what I might trace to shed light on the situation?
> >
> > Thanks;
> >
> > ok
> > r.
> >
> >
>
>
« Return to Thread: forced password changes
| Free embeddable forum powered by Nabble | Forum Help |
