[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Re: pwdMustChange and pwdExpireWarning



Hello Buchan

I am running the rpm package openldap server 2.3 that comes with CentOS 5.4 and my ldap client is CentOS 4. Looks like there is no ldapwhoami -e ppolicy option on CentOS4 client, as you can see below. I also copy and paste the client's /etc/pam.d/system-auth below.


[user1@ldapclient ~]$ ldapwhoami -e ppolicy
Invalid general control name: ppolicy
Issue LDAP Who am I? operation to request user's authzid

usage: ldapwhoami [options]
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (an RFC 2254 Filter)
[!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
[!]manageDSAit
[!]noop
[!]postread[=<attrs>] (a comma-separated attribute list)
[!]preread[=<attrs>] (a comma-separated attribute list)
-h host LDAP server
-H URI LDAP Uniform Resource Indentifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-O props SASL security properties
-o <opt>[=<optparam>] general options
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)



[user1@ldapclient ~]$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_localuser.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so

#password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so


Do you see anything configured wrong in my /etc/pam.d/system-auth? Thanks so much for your help with this issue.

Regards
Wei



On Aug 17, 2010 4:43am, Buchan Milne <bgmilne@staff.telkomsa.net> wrote:
> On Monday, 16 August 2010 23:02:41 Wei Gao wrote:
>
>
> > Hello Buchan
>
>
> >
>
>
> > I set pwdReset manually and it worked.  Thank you.
>
>
> >
>
>
> > For my issue regarding pwdExpireWarning not displaying warning message when
>
>
> > I ssh into my systems, I still can't figure out what I did wrong.  Here is
>
>
> > my default policy:
>
>
> >
>
>
> > dn: cn=default,ou=Policies,dc=example,dc=company
>
>
> > objectClass: top
>
>
> > objectClass: device
>
>
> > objectClass: pwdPolicy
>
>
> > cn: default
>
>
> > pwdAllowUserChange: TRUE
>
>
> > pwdAttribute: userPassword
>
>
> > pwdCheckQuality: 2
>
>
> > pwdExpireWarning: 1209600
>
>
> > pwdFailureCountInterval: 0
>
>
> > pwdGraceAuthNLimit: 0
>
>
> > pwdInHistory: 24
>
>
> > pwdLockout: TRUE
>
>
> > pwdLockoutDuration: 0
>
>
> > pwdMaxAge: 5184000
>
>
> > pwdMaxFailure: 3
>
>
> > pwdMinLength: 12
>
>
> > pwdMustChange: TRUE
>
>
> > pwdSafeModify: FALSE
>
>
>
>
>
>
>
>
> So, test your policy with ldapwhoami (with appropriate options, see man page),
>
>
> with -e ppolicy option to display ppolicy controls in the response.
>
>
>
>
>
> > pwdMaxAge works perfectly and so does every other attribute, except
>
>
> > pwdExpireWarning.  pwdExpireWarning is the only one I am having issues
>
>
> > now.  Not sure what I did wrong.  Do you need to know any other details?
>
>
>
>
>
> If ldapwhoami with -e ppolicy works correctly, your problem is your PAM stack.
>
>
> This will not be the only pam_ldap feature (host-based authorization with
>
>
> pam_check_host_attr will not be adhered to) that doesn't work due to incorrect
>
>
> PAM authorization settings. See my previous reply:
>
>
>
>
>
> You need to supply your PAM configuration if anyone is to assist you further.
>
>
>
>
>
> > > > expire in 12 days, how come I don't see a warning message when I ssh to
>
>
> > >
>
>
> > > my
>
>
> > >
>
>
> > > > system?
>
>
> > >
>
>
> > > Misconfigured PAM stack probably (authorization, IOW account lines).
>
>
> > > There have
>
>
> > > been previous solutions in previous threads on this topic, and without
>
>
> > > any details of your system it isn't possible to assist further.
>
>
>
>
>
>
>
>
> Regards,
>
>
> Buchan
>
>
>