Re: Ppolicy:pwdMustChange TRUE does not force User to change his Password

Thanks fer reply.
well... i changed my /etc/pam_ldap.conf as suggested.... >>> No difference! see this...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# /etc/pam_ldap.conf | cat -s

base dc=org
uri ldap://server
ldap_version 3
pam_password exop
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

See Result when a User logs in:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
login as: ldapuser1

Debian GNU/Linux 4.0 \n \l

ldapuser1@... password:
Change After Reset
Last login: Sat Jan 17 09:11:37 2009 from somehostname
ldapuser1@aw-deb40:~$
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Again...there is no need for the User to change his Password, even the LDAP Manager has reseted it.
Aint this a WRONG Behaviour ?!
Why is the User not forced to change his PW now??

regards
Axel




Am 22.01.2009 08:27, Mathieu MILLET schrieb:

On Wed, 21 Jan 2009 13:22:03 +0100, Axel Werner mail@...
wrote:
  

Hi anybody!

i use ppolicy overlay to enforce password policy to my ldap user 
objects. i also use pam_ldap and libnss-ldap on client side so the linux 
client can authenticate and also work with the password-policy thingies 
like expiration and stuff. it works well with one exception:

It seems that some component on the Client side does not work well on 
that "User Must Change Password after administrative Password Reset" 
Topic. In Fact, that User is still able to login (as usual) and IS NOT 
FORCED to change his Password the moment he logs in. In another Case, 
say if the users password expires the common way that User IS BEING 
FORCED to change his PW the moment he logs in. But it wont do that way 
if his PW is just "Reset by Admin".

My slap.conf contains pwdMustChange:true
my Users LDAP Account contains the "pwdReset TRUE" attribute too

If the User now logs on, he will get ONE ADDITIONAL LINE OF TEXT saying 
„Change After Reset“ to his console. Anything else is just as usual.
    

No
  

enforcing at all.

So why that ?! Shouldnt there be a Promt requesting the User to enter 
his new password ?!?

I searched tons of Docs and Manuals and squeezed Google for days. No 
luck yet.. Would you Help?

see config files down that mail.

regards
Axel


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# grep -v ^# libnss-ldap.conf | cat -s
@(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $

base dc=org

uri ldap://server

ldap_version 3

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# pam_ldap.conf | cat -s

base dc=org

uri ldap://server

ldap_version 3

pam_password clear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# nsswitch.conf | cat -s

passwd: compat ldap
group: compat ldap
shadow: compat ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# ldap.conf | cat -s

BASE dc=org
URI ldap://server

SIZELIMIT 0
TIMELIMIT 15

TLS_CACERTDIR /etc/ssl/certs/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# grep -v ^# slapd.conf | cat -s

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/ppolicy.schema

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel 0

modulepath /usr/lib/ldap
moduleload back_bdb
moduleload refint
moduleload unique
moduleload ppolicy

sizelimit 500
tool-threads 1

backend bdb
checkpoint 512 30

database bdb

suffix "dc=org"

directory "/var/lib/ldap"

dbconfig set_cachesize 0 2097152 0

dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500

rootdn "cn=manager,dc=org"
rootpw ldap

index objectClass eq
index cn eq,sub

password-hash {SHA}

lastmod on

overlay refint
refint_attributes member uniqueMember seeAlso
refint_nothing cn=EMPTY

overlay unique
unique_base dc=org
unique_attributes uid mail

overlay ppolicy
ppolicy_default cn=Standard,ou=pPolicies,dc=org
ppolicy_use_lockout
ppolicy_hash_cleartext

access to attrs=userPassword,shadowLastChange,pwdHistory
by dn="uid=admin,dc=org" write
by anonymous auth
by self write
by * none

access to dn.base="" by * read

access to *
by dn="uid=admin,dc=org" write
by * read

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    

Hi,

In your pam_ldap.conf, you should specify <<pam_password exop>> instead of
<<pam_password clear>>.

So that, you will use the standard LDAP EXtended OPeration for changing the
password, instead of simply "modifying" the userPassword attribute (in
clear to text which then will be hashed).

Also, for storing your password in your directory, you should use SSHA
instead of SHA, so if the "raw" content of the directory is accessed, the
password can't be compared easily to (hashed) dictionaries.

Hope it can help,
Sincerely yours, Mathieu MILLET.