forced password changes

> -----Original Message-----
> From: Stricklin, Raymond J
> Sent: Tuesday, November 25, 2008 11:53 AM
> To: pamldap@...
> Subject: [pamldap] forced password changes
>
>
> Folks;
>
> I am not having much luck making forced password changes work
> with LDAP.
>
>
> I have a working OpenLDAP server providing passwd, shadow,
> and group information to a SuSE SLES10 SP2 client. Things are
> working well: users can log in, can change their own
> passwords using 'passwd', and so on. I want to be able to use
> the 'passwd -e' (or 'chage -E 0') to cause a user to be
> prompted to select a new password the next time he logs in,
> and this is not working correctly.
>
> 'passwd -e' correctly updates LDAP for the user, setting
> 'passwordLastChange: 0', which matches the shadow semantics
> and is expected. When the user logs in the next time, he
> receives a message stating he must change his password, and
> is prompted for his old password. (It'd be nice if it simply
> asked for a new one, but the demonstrated behavior is
> acceptable). However, when the user types his old password in
> at the prompt, it is rejected. If any password is accepted
> here, I have been unable to determine what it is.
>
> wingnut:~ # telnet localhost
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> Welcome to SUSE Linux Enterprise Server 10 SP2 (s390x) -
> Kernel 2.6.16.60-0.21-default (3).
>
> ldc1 login: user
> Password:
> You are required to change your LDAP password immediately.
> Old Password:
>
> Authentication failure
> Connection closed by foreign host.
> wingnut:~ #
>
> This happens repeatably whenever passwordLastChange is set to
> 0 in LDAP for any user. Forced password changes with 'passwd
> -e' still work for any locally defined users (/etc/shadow,
> etc.). I have 'pam_password exop' in ldap.conf, and my PAM
> configuration is more or less equivalent to the following:
>
> account sufficient      pam_ldap.so
> account required        pam_unix2.so
> auth    required        pam_env.so
> auth    sufficient      pam_unix2.so
> auth    sufficient      pam_ldap.so use_first_pass
> auth    required        pam_deny.so
> password required       pam_pwcheck.so  nullok
> password sufficient     pam_ldap.so     use_authtok
> password required       pam_unix2.so    nullok use_authtok
> session required        pam_limits.so
> session required        pam_unix2.so
> session optional        pam_ldap.so
>
> Does this work for anybody? Any ideas what might be going
> wrong, or what I might trace to shed light on the situation?
>
> Thanks;
>
> ok
> r.
>
>

> -----Original Message-----
> From: Stricklin, Raymond J
> Sent: Wednesday, November 26, 2008 3:06 PM
> To: pamldap@...
> Subject: RE: [pamldap] forced password changes
>
> Folks;
>
> I need to reclassify my problem.
>
> The problem is that somewhere in the auth chain there is an
> inappropriate dependence on CRYPT style encrypted passwords.
> I am not sure how to track down where.
>
> If I edit /etc/ldap.conf and change 'pam_password' from
> 'exop' (or indeed anything) to 'crypt', the expired passwords
> and forced changes work correctly.
>
> How can I track down what piece of software is ignoring PAM
> during the password change and depending on a CRYPT style
> password? I'm sure it's got to be whatever's printing "Old
> password:" in the session excerpt quoted below... but what
> piece is that?
>
> ok
> r.
>
> > -----Original Message-----
> > From: Stricklin, Raymond J
> > Sent: Tuesday, November 25, 2008 11:53 AM
> > To: pamldap@...
> > Subject: [pamldap] forced password changes
> >
> >
> > Folks;
> >
> > I am not having much luck making forced password changes work with
> > LDAP.
> >
> >
> > I have a working OpenLDAP server providing passwd, shadow,
> and group
> > information to a SuSE SLES10 SP2 client. Things are working well:
> > users can log in, can change their own passwords using
> 'passwd', and
> > so on. I want to be able to use the 'passwd -e' (or 'chage
> -E 0') to
> > cause a user to be prompted to select a new password the
> next time he
> > logs in, and this is not working correctly.
> >
> > 'passwd -e' correctly updates LDAP for the user, setting
> > 'passwordLastChange: 0', which matches the shadow semantics and is
> > expected. When the user logs in the next time, he receives
> a message
> > stating he must change his password, and is prompted for his old
> > password. (It'd be nice if it simply asked for a new one, but the
> > demonstrated behavior is acceptable). However, when the
> user types his
> > old password in at the prompt, it is rejected. If any password is
> > accepted here, I have been unable to determine what it is.
> >
> > wingnut:~ # telnet localhost
> > Trying 127.0.0.1...
> > Connected to localhost.
> > Escape character is '^]'.
> > Welcome to SUSE Linux Enterprise Server 10 SP2 (s390x) - Kernel
> > 2.6.16.60-0.21-default (3).
> >
> > ldc1 login: user
> > Password:
> > You are required to change your LDAP password immediately.
> > Old Password:
> >
> > Authentication failure
> > Connection closed by foreign host.
> > wingnut:~ #
> >
> > This happens repeatably whenever passwordLastChange is set to 0 in
> > LDAP for any user. Forced password changes with 'passwd -e'
> still work
> > for any locally defined users (/etc/shadow, etc.). I have
> > 'pam_password exop' in ldap.conf, and my PAM configuration
> is more or
> > less equivalent to the following:
> >
> > account sufficient      pam_ldap.so
> > account required        pam_unix2.so
> > auth    required        pam_env.so
> > auth    sufficient      pam_unix2.so
> > auth    sufficient      pam_ldap.so use_first_pass
> > auth    required        pam_deny.so
> > password required       pam_pwcheck.so  nullok
> > password sufficient     pam_ldap.so     use_authtok
> > password required       pam_unix2.so    nullok use_authtok
> > session required        pam_limits.so
> > session required        pam_unix2.so
> > session optional        pam_ldap.so
> >
> > Does this work for anybody? Any ideas what might be going wrong, or
> > what I might trace to shed light on the situation?
> >
> > Thanks;
> >
> > ok
> > r.
> >
> >
>
>

> Again...
>
> After looking at the source (pam_ldap.c) I discovered that the pam_ldap
> documentation is a little misleading with regard to the equivalence of
> use_authtok and use_first_pass, so I decided to try tweaking pam.conf
> some more. I found that changing this:
>
>   password sufficient pam_ldap.so use_authtok
>
> to this:
>
>   password sufficient pam_ldap.so try_first_pass
>
> causes the "Old password:" prompt to appear just as it has been, only
> now authentication succeeds, and the forced password change works
> correctly without requiring 'pam_password crypt' set in /etc/ldap.conf.
>
> Can somebody who understands pam_ldap better than I do explain why that
> should have made the difference? Demonstrably, it works, but I am at a
> loss to explain why.