Re: Ppolicy:pwdMustChange TRUE does not force User to change his Password

> Hi anybody!
>
> i use ppolicy overlay to enforce password policy to my ldap user
> objects. i also use pam_ldap and libnss-ldap on client side so the linux
> client can authenticate and also work with the password-policy thingies
> like expiration and stuff. it works well with one exception:
>
> It seems that some component on the Client side does not work well on
> that "User Must Change Password after administrative Password Reset"
> Topic. In Fact, that User is still able to login (as usual) and IS NOT
> FORCED to change his Password the moment he logs in. In another Case,
> say if the users password expires the common way that User IS BEING
> FORCED to change his PW the moment he logs in. But it wont do that way
> if his PW is just "Reset by Admin".
>
> My slap.conf contains pwdMustChange:true
> my Users LDAP Account contains the "pwdReset TRUE" attribute too
>
> If the User now logs on, he will get ONE ADDITIONAL LINE OF TEXT saying
> „Change After Reset“ to his console. Anything else is just as usual.

>
> enforcing at all.
>
> So why that ?! Shouldnt there be a Promt requesting the User to enter
> his new password ?!?
>
> I searched tons of Docs and Manuals and squeezed Google for days. No
> luck yet.. Would you Help?
>
> see config files down that mail.
>
> regards
> Axel
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> # grep -v ^# libnss-ldap.conf | cat -s
> @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
>
> base dc=org
>
> uri ldap://server
>
> ldap_version 3
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> # grep -v ^# pam_ldap.conf | cat -s
>
> base dc=org
>
> uri ldap://server
>
> ldap_version 3
>
> pam_password clear
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> # grep -v ^# nsswitch.conf | cat -s
>
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
>
> hosts: files dns
> networks: files
>
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
>
> netgroup: nis
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> # grep -v ^# ldap.conf | cat -s
>
> BASE dc=org
> URI ldap://server
>
> SIZELIMIT 0
> TIMELIMIT 15
>
> TLS_CACERTDIR /etc/ssl/certs/
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> # grep -v ^# slapd.conf | cat -s
>
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/nis.schema
> include /etc/ldap/schema/inetorgperson.schema
> include /etc/ldap/schema/ppolicy.schema
>
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd/slapd.args
> loglevel 0
>
> modulepath /usr/lib/ldap
> moduleload back_bdb
> moduleload refint
> moduleload unique
> moduleload ppolicy
>
> sizelimit 500
> tool-threads 1
>
> backend bdb
> checkpoint 512 30
>
> database bdb
>
> suffix "dc=org"
>
> directory "/var/lib/ldap"
>
> dbconfig set_cachesize 0 2097152 0
>
> dbconfig set_lk_max_objects 1500
> dbconfig set_lk_max_locks 1500
> dbconfig set_lk_max_lockers 1500
>
> rootdn "cn=manager,dc=org"
> rootpw ldap
>
> index objectClass eq
> index cn eq,sub
>
> password-hash {SHA}
>
> lastmod on
>
> overlay refint
> refint_attributes member uniqueMember seeAlso
> refint_nothing cn=EMPTY
>
> overlay unique
> unique_base dc=org
> unique_attributes uid mail
>
> overlay ppolicy
> ppolicy_default cn=Standard,ou=pPolicies,dc=org
> ppolicy_use_lockout
> ppolicy_hash_cleartext
>
> access to attrs=userPassword,shadowLastChange,pwdHistory
> by dn="uid=admin,dc=org" write
> by anonymous auth
> by self write
> by * none
>
> access to dn.base="" by * read
>
> access to *
> by dn="uid=admin,dc=org" write
> by * read
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~