[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Odd password reset issue



On Saturday 21 June 2008 12:49:52 pm Anthony Porcano wrote:
> In ES3 bundled openldap - password policy controls are limited to
> shadow attributes. You don't mention them, but I assume you are using
> shadow attributes to control when passwords expire. This is a somewhat
> outdated way of managing password policy. While it's been far from
> painless we have ppolicy implemented and mostly working in our shop.
> Overall it's worth the investment as it opens up much more
> functionality.
>
> Upgrades aside, what you're trying to do should work. There's a few
> things you can check. First - be aware of what the shadow attributes
> are set to. This is relevant in troubleshooting. You should look at
> the shadowLastChange field to see if that is getting updated when a
> user runs passwd from a client. If this isn't happening try checking
> whether you have "pam_passwd exop" enabled in your client's /etc/
> ldap.conf. I might be wrong here, but I think this might be needed in
> order to get shadowLastChange updating.
>

And double-check that the shadowLastChange attribute is allowed in your ACLs, 
only when you are not using the rootdn with your nss/pam configuration
>   --AP
>
> On Jun 21, 2008, at 4:47 AM, Kevin Brammer wrote:
> > Running the OpenLDAP server bundled with RH ES3.  I had OpenLDAP
> > running successfully.  I could authenticate, pull information from the
> > directory - everything seemed great!  After the 90 day password rule I
> > had put in place, I got the "your password has expired" message.  I
> > tried to change it, said it was successful.  A subsequent login
> > received the same message. Again I changed it, and it said successful.
> > Now, I can't even login.
> >
> > I changed my user's password as root using ldappasswd, and a check of
> > the entry shows the hash changing accordingly.  However, I still can't
> > login as the user.
> >
> > Any ideas?



-- 
Jorge Armando Medina
Computación Gráfica de México
Web: www.e-compugraf.com
Tel: 55 51 40 72
email: jmedina@e-compugraf.com
GPG Key: 1024D/28E40632 2007-07-26
GPG Fingerprint: 59E2 0C7C F128 B550 B3A6  D3AF C574 8422 28E4 0632

Attachment: signature.asc
Description: This is a digitally signed message part.