Re: pwdMustChange and pwdExpireWarning

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Wednesday, 18 August 2010 22:26:38 weigao88@gmail.com wrote:
> Hello Buchan
> 
> I am running the rpm package openldap server 2.3 that comes with CentOS 5.4

So test this client from the "server".

> and my ldap client is CentOS 4. Looks like there is no ldapwhoami -e
> ppolicy option on CentOS4 client, as you can see below. I also copy and
> paste the client's /etc/pam.d/system-auth below.
> 
> 
> [user1@ldapclient ~]$ ldapwhoami -e ppolicy
> Invalid general control name: ppolicy
> Issue LDAP Who am I? operation to request user's authzid
> 
> usage: ldapwhoami [options]

You will of course actually have to *read* the usage instructions, and supply 
suitable options/values.

> [user1@ldapclient ~]$ cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
> 
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_localuser.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account [default=bad success=ok user_unknown=ignore]
> /lib/security/$ISA/pam_ldap.so
> account required /lib/security/$ISA/pam_permit.so

I usually go for something more like:

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_ldap.so
account required pam_deny.so

But, if you aren't going to bother to learn how PAM works, you probably 
shouldn't be taking advice from random strangers on the internet.

Regards,
Buchan