Not getting password expiry warnings on login

[Chris Jacobs <Chris.Jacobs@apollogrp.edu>]

Hello,

I've gotten our password policy to function as it should - password expire requiring password changes, can't use old passwords, etc.

I'm working on last little detail - getting the password expiration warning to display.

For example, I see in the logs:
"Mar 29 19:27:38 ldapmaster1 slapd[32653]: ppolicy_bind: Setting warning for password expiry for uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net = 3141 seconds"

But I never get the notice on login clients - regardless of client type (even from machine to itself).

I suspect ya'll are going to be interested in ldap.conf and pam config, so here they are, along with some possibly relevant bits:

/etc/ldap.conf:
uri                     ldaps://ldapmaster1.corp.aptimus.net
timelimit               10
bind_timelimit          10
bind_policy             soft
base                    dc=unix,dc=aptimus,dc=net
scope                   sub
ssl                     on
tls_checkpeer           no
tls_cacertfile          /etc/openldap/cacert.pem
pam_login_attribute     uid
pam_lookup_policy       yes
pam_password            exop

/etc/pam.d/system-auth-ac:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

# grep -i pam /etc/ssh/sshd_config
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# PAMAuthenticationViaKbdInt no
UsePAM yes

Ppolicy directives in /etc/openldap/slapd.conf (under the sold database definition):
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout


AND just for giggles, I decided to see if I could get the version of pam_ldap.so that's installed, and ran strings on it.  I notice two things:
1.3.6.1.4.1.42.2.27.8.5.1
(objectclass=passwordPolicy)

The ppolicy.schema file compiled used IDs 1.3.6.1.4.1.42.2.27.8.1.x - not ..8.5.x - could I possibly have some weird mismatch here?

(I suspect and hope that the last bit here is a totally unrelated red herring.)

Thanks,
- chris


Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
email:  chris.jacobs@apollogrp.edu


This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.