[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Not getting password expiry warnings on login
Hello,
I've gotten our password policy to function as it should - password expire requiring password changes, can't use old passwords, etc.
I'm working on last little detail - getting the password expiration warning to display.
For example, I see in the logs:
"Mar 29 19:27:38 ldapmaster1 slapd[32653]: ppolicy_bind: Setting warning for password expiry for uid=chrisjtest,ou=people,dc=unix,dc=aptimus,dc=net = 3141 seconds"
But I never get the notice on login clients - regardless of client type (even from machine to itself).
I suspect ya'll are going to be interested in ldap.conf and pam config, so here they are, along with some possibly relevant bits:
/etc/ldap.conf:
uri ldaps://ldapmaster1.corp.aptimus.net
timelimit 10
bind_timelimit 10
bind_policy soft
base dc=unix,dc=aptimus,dc=net
scope sub
ssl on
tls_checkpeer no
tls_cacertfile /etc/openldap/cacert.pem
pam_login_attribute uid
pam_lookup_policy yes
pam_password exop
/etc/pam.d/system-auth-ac:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006
# grep -i pam /etc/ssh/sshd_config
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# PAMAuthenticationViaKbdInt no
UsePAM yes
Ppolicy directives in /etc/openldap/slapd.conf (under the sold database definition):
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout
AND just for giggles, I decided to see if I could get the version of pam_ldap.so that's installed, and ran strings on it. I notice two things:
1.3.6.1.4.1.42.2.27.8.5.1
(objectclass=passwordPolicy)
The ppolicy.schema file compiled used IDs 1.3.6.1.4.1.42.2.27.8.1.x - not ..8.5.x - could I possibly have some weird mismatch here?
(I suspect and hope that the last bit here is a totally unrelated red herring.)
Thanks,
- chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.441-9100 x1245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jacobs@apollogrp.edu
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.