[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [Fwd: PAM not warning for password expiration]



On Friday, 3 September 2010 13:15:21 Dannie Obbink wrote:
> -------- Forwarded Message --------
> 
> > From: Obbink, D. (Dannie) <dannie.obbink@vtspn.nl>
> > To: openldap-technical@openldap.org
> > Subject: PAM not warning for password expiration
> > Date: Thu, 22 Jul 2010 19:29:36 +0200
> > 
> > When users with an expired account try to log on to an application
> > making a bind using the user's own credentials, everything works as
> > expected; users cannot login, access gets denied. In the slapd
> > logging, the following message is displayed:
> > 
> > Jul 21 14:06:25 slapd2.4[27182]: ppolicy_bind: Entry uid=<user> has an
> > expired password: 0 grace logins
> > 
> > But when trying to log into PAM (ssh, su etc.), there is no warning
> > displayed the account is expired. The user is also allowed to login
> > normally.
> > 
> > I've been Googling for a couple of days now, and can't really find the
> > culprit.
> > 
> > I was especially interested in this thread:
> > http://www.openldap.org/lists/openldap-technical/201003/msg00197.html
> > 
> > So, I've set pwdExpireWarning to 1 second less then pwdMaxAge.
> > 
> > When I try to bind directly, such as with an ldapsearch, the logging
> > shows
> > 
> > Jul 22 15:31:56 slapd2.4[27182]: ppolicy_bind: Setting warning for
> > password expiry for uid=<user> = 4318121 seconds
> > 
> > So, that seems to be correct.
> > But, when logging in via PAM, the log does not display the "setting
> > warning".
> > 
> > <SNIP>
> > 
> > Thanks you for any responses,
> > Dannie Obbink
> 
> Hello list,
> 
> Well, I finally found a workaround which "works for me"; use SSSD (found
> in the EPEL repos for Redhat / Centos / Fedora and standard for RHEL6).
> 
> SSSD, unlike pam_ldap, IS nice enough to warn me for impending password
> expiry.
> 
> I found multiple bugs about this (really helps if you know what to
> search) such as https://bugzilla.redhat.com/show_bug.cgi?id=190256 and
> http://bugs.centos.org/view.php?id=4468&nbn=5
> 
> I just wanted to share with you all that this definitely looks like a
> pam_ldap bug.

No bug in pam_ldap, probably just a problem with your 'account' lines in your 
pam stack. For me, on RHEL4 and RHEL5 and Mandriva etc., pam_ldap warns 
appropriately for impending password expiry, and forces password changes after 
the password has expired.

There have been a number of threads on this list, a few of which I have posted 
the solution.

Regards,
Buchan