LDAP
 » 
PADL Lists
 » 
PAM LDAP

 « Return to Thread: forced password changes

forced password changes

by r.stricklin :: Rate this Message:

Reply to Author | View in Thread


Folks;

I am not having much luck making forced password changes work with LDAP.


I have a working OpenLDAP server providing passwd, shadow, and group
information to a SuSE SLES10 SP2 client. Things are working well: users
can log in, can change their own passwords using 'passwd', and so on. I
want to be able to use the 'passwd -e' (or 'chage -E 0') to cause a user
to be prompted to select a new password the next time he logs in, and
this is not working correctly.

'passwd -e' correctly updates LDAP for the user, setting
'passwordLastChange: 0', which matches the shadow semantics and is
expected. When the user logs in the next time, he receives a message
stating he must change his password, and is prompted for his old
password. (It'd be nice if it simply asked for a new one, but the
demonstrated behavior is acceptable). However, when the user types his
old password in at the prompt, it is rejected. If any password is
accepted here, I have been unable to determine what it is.

wingnut:~ # telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Welcome to SUSE Linux Enterprise Server 10 SP2 (s390x) - Kernel
2.6.16.60-0.21-default (3).

ldc1 login: user
Password:
You are required to change your LDAP password immediately.
Old Password:

Authentication failure
Connection closed by foreign host.
wingnut:~ #

This happens repeatably whenever passwordLastChange is set to 0 in LDAP
for any user. Forced password changes with 'passwd -e' still work for
any locally defined users (/etc/shadow, etc.). I have 'pam_password
exop' in ldap.conf, and my PAM configuration is more or less equivalent
to the following:

account sufficient      pam_ldap.so
account required        pam_unix2.so
auth    required        pam_env.so
auth    sufficient      pam_unix2.so
auth    sufficient      pam_ldap.so use_first_pass
auth    required        pam_deny.so
password required       pam_pwcheck.so  nullok
password sufficient     pam_ldap.so     use_authtok
password required       pam_unix2.so    nullok use_authtok
session required        pam_limits.so
session required        pam_unix2.so
session optional        pam_ldap.so

Does this work for anybody? Any ideas what might be going wrong, or what
I might trace to shed light on the situation?

Thanks;

ok
r.

 « Return to Thread: forced password changes

Free embeddable forum powered by Nabble Forum Help