[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: pwdMustChange and pwdExpireWarning
On Wednesday, 18 August 2010 22:26:38 weigao88@gmail.com wrote:
> Hello Buchan
>
> I am running the rpm package openldap server 2.3 that comes with CentOS 5.4
So test this client from the "server".
> and my ldap client is CentOS 4. Looks like there is no ldapwhoami -e
> ppolicy option on CentOS4 client, as you can see below. I also copy and
> paste the client's /etc/pam.d/system-auth below.
>
>
> [user1@ldapclient ~]$ ldapwhoami -e ppolicy
> Invalid general control name: ppolicy
> Issue LDAP Who am I? operation to request user's authzid
>
> usage: ldapwhoami [options]
You will of course actually have to *read* the usage instructions, and supply
suitable options/values.
> [user1@ldapclient ~]$ cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_localuser.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account [default=bad success=ok user_unknown=ignore]
> /lib/security/$ISA/pam_ldap.so
> account required /lib/security/$ISA/pam_permit.so
I usually go for something more like:
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_ldap.so
account required pam_deny.so
But, if you aren't going to bother to learn how PAM works, you probably
shouldn't be taking advice from random strangers on the internet.
Regards,
Buchan