RE: openldap pwdReset

Here is my defined ppolicy. I have defined in my /etc/ldap.conf pam_password exop. Password history and check_password was working when I had pam_password md5. I wonder if it has something to do with the way the password is being hashed.

dn: cn=default,ou=policies,dc=turbocorp,dc=com

cn: default

sn: surname

objectClass: pwdPolicy

objectClass: person

objectClass: top

objectClass: pwdPolicyChecker

pwdAttribute: userPassword

pwdInHistory: 3

pwdMinLength: 8

pwdMaxFailure: 5

pwdLockout: TRUE

pwdLockoutDuration: 300

pwdAllowUserChange: TRUE

pwdSafeModify: FALSE

pwdMinAge: 0

pwdExpireWarning: 1209600

pwdCheckModule: /usr/local/libexec/openldap/check_password.so

pwdGraceAuthNLimit: 3

pwdFailureCountInterval: 86400

pwdCheckQuality: 2

pwdMustChange: TRUE

pwdMaxAge: 172800

John Allgood

Senior Systems Administrator

OHL Transportation Services

2251 Jesse Jewell Pky. NE

Gainesville, GA 30507

tel: (678) 989-3051 fax: (770) 531-7878

jallgood@ohl.com

www.ohl.com

From: Adam Leach [mailto:adam.m.leach@gmail.com]
Sent: Thursday, June 24, 2010 11:24 AM
To: Allgood, John
Cc: SATOH Fumiyasu; openldap-technical@openldap.org
Subject: Re: openldap pwdReset

It would help if you would attach the ppolicy that this entry uses in order to make sure it is configured correctly...

On Thu, Jun 24, 2010 at 7:56 AM, Allgood, John <jallgood@ohl.com> wrote:

Yes I set that yesterday but now my password history is not working. It seems when I get one thing working something else breaks. Any ideas on the password history?

John Allgood
Senior Systems Administrator
OHL Transportation Services
2251 Jesse Jewell Pky. NE
Gainesville, GA 30507
tel: (678) 989-3051 fax: (770) 531-7878

jallgood@ohl.com
www.ohl.com

> -----Original Message-----
> From: SATOH Fumiyasu [mailto:fumiyas@osstech.jp]
> Sent: Wednesday, June 23, 2010 8:23 PM
> To: Allgood, John
> Cc: 'openldap-technical@openldap.org'
> Subject: Re: openldap pwdReset
>
> Hi,
>
> At Wed, 23 Jun 2010 08:39:03 -0500,
> Allgood, John wrote:
> > I have a question for you all. I am using openldap 2.4.31 on Centos
> 5.5 and using the ppolicy overlay. I have also compiled the smbk5
> module to update the samba attr when the user password is updated. My
> problem is to change the password and have the samba password update I
> have to use ldappasswrd which works great. If I force a pwdReset and
> login via gdm the password program take over and sets the posix
> password but this does not change the samba side nor does it adhere to
> the ppolicy. I am thinking this may something related to
> /etc/pamd/system-auth file but not sure. Any feedback would be
> appreciated.
>
> If you are using PADL pam_ldap.so (included in nss_ldap package),
> you must set "pam_password exop" in your /etc/ldap.conf.
>
> --
> -- Name: SATOH Fumiyasu (fumiyas @ osstech co jp)
> -- Business Home: http://www.OSSTech.co.jp/
> -- Personal Home: http://www.SFO.jp/blog/

______________________________________________________

This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.

--
Adam Leach
BS Computer/Electrical Engineering
West Virginia University
Systems Administrator - Raytheon
(304)677-4455