Re: Forced password change not allowed

[Matt Burkhardt <mlb@imparisystems.com>]

Thanks Matt - 

With your hint, I was able to start digging around and found out that the problem was with pam - I ended up going into /etc/pam.d/common-password and change

password   sufficient   pam_ldap.so use_first_pass
password   sufficient   pam_ldap.so

Not quite sure what it does - but it works and I'll read the man pam pages later

On Tue, 2009-07-28 at 07:21 -0600, Matt Kassawara wrote:
>     You probably don't have the slapd ACLs configured so clients can read the necessary shadow fields... particularly those governing password age (e.g., shadowLastChange, shadowMax).
>     
>     On Tue, Jul 28, 2009 at 5:52 AM, <mlb@imparisystems.com> wrote:
> >         I've got openLDAP running and installed the pam and nss libraries so it
> >         would also control the Linux passwords. I'm trying to sign onto my server
> >         using ssh - but once I enter my username and password, I get
> >         
> >         WARNING: Your password has expired.
> >         You must change your password now and login again!
> >         Enter login(LDAP) password:
> >         
> >         Now being a bad security person, I always use the exact same username /
> >         password combination and they don't work.
> >         
> >         If a use either nothing (just hit Enter) or if I put in the standard
> >         password I get
> >         
> >         passwd: Authentication information cannot be recovered
> >         passwd: password unchanged
> >         Connection to ubuntu closed.
> >         
> >         If I enter in some nonsensical string I get
> >         
> >         LDAP Password incorrect: try again
> >         Enter login(LDAP) password:
> >         
> >         
> >         However, that is the only root level user on the machine and I have TONS of
> >         stuff on it. How do I fix? Is this an openLDAP issue or something else?
> >         
> >         Thanks
> >         
> >     
>