I also want to enforce strong password policies for my ldap users.
for which i configured pam module on each ldap client in following way.
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_tally.so deny=5 unlock_time=300
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 \
reject_username
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
session optional pam_mkhomedir.so skel=/etc/skel umask=0066
I am having following problems with my configuration.
1. Although configured password history (pam_unix.so remember =5) is not working for ldap users, while other password policies (pam_cracklib,pam_tally) are working fine.
2. I also observed that I can't change/set any users password as root user (using passwd username).
Following is my ldap client configuration file (ldap.conf).
base dc=mycomp,dc=com
bind_timelimit 120
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
pam_check_host_attr
pam_password md5
ssl no
timelimit 120
tls_cacertdir /etc/openldap/cacerts
For further troubleshooting I observer my /var/log/secure file while changing ldap user's passwod.
passwd: pam_unix(passwd:chauthtok): user "username" does not exist in /etc/passwd
but #getent passwd show me the username.
Thanks in advance.
--
Regards,
Meghanand N. Acharekar
" A proud GNU\Linux User "
Reg Linux User #397975
------------------------------------------
I was born free! No Gates and Windows can restrict my Freedom !!!