[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: pwdRESET not working
- To: openldap-technical <openldap-technical@openldap.org>
- Subject: Re: pwdRESET not working
- From: Net Warrior <netwarrior863@gmail.com>
- Date: Mon, 21 May 2018 12:10:44 -0300
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-transfer-encoding; bh=2eaGkElvfOeaPW5HV7CubjNZGsw0VpHIq9CoSYbe3GA=; b=uHcQhZWFQcmov3ya/vfjNHmpGp455FqDUnRLNYSbjCw+1wd9lHAtB7QKQBqPrtgD5k /9YbMvDCDRMr4QtFE80C5OjCqv+HdJlVGDGG/qpDWbQLePNJj72kB9Yv2cSSEsAtHzBa VHL9ehgXVnZQ4JqbVVIJ5LnZMBS3TY+53n0xRaIN2Bx3TJKrpAGArrsuiBx3GlGd5X53 KG199ZadNldl/ULj7FJ8Rl2q0orgRMiGInN2ZGyUOvwyIW1ONBrelgqcJHfwQz+SmnOJ WgU5+HHfe3bYfyWJr6BqvfEt78jrD/bEvXdkavAgUfcMu97sMzvhP0qoD1Ieq2c81QKQ SQrQ==
- In-reply-to: <ef40298a-d821-c66a-4112-6beead399e0d@gmail.com>
- References: <CAP7y58PYuoLJusteEuCwdsce_wyWj2oQjEkQrKap+7RV1m-CAw@mail.gmail.com> <acb181e8-c665-369b-486b-536cd5c2ddde@worteks.com> <ef40298a-d821-c66a-4112-6beead399e0d@gmail.com>
Hello
When I force the expiration changing pwdMaxAge what I can see in the
log is the following:
ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired
password: 0 grace logins
I test the login, I get two warning as configured but the user is
never forced to change it and can login as usual, any hint on this?
I was expecting something like this, this is from my old notes ( 2013
) at that time it worked
You are required to change your LDAP password immediately.
Last login: Wed Feb 13 12:07:38 2013 from server.domain.com
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user pmorales.
Enter login(LDAP) password:
My sss configuration
# sssd::config
[sssd]
domains = domain
services = nss, pam, ssh, sudo
config_file_version=2
[domain/zebra]
# sssd::provider::ldap
id_provider=ldap
auth_provider=ldap
chpass_provider=ldap
ldap_uri=ldap://openldap.domain.com
ldap_chpass_uri=ldap://openldap.domain.com
ldap_search_base=dc=domain,dc=com
ldap_tls_reqcert=never
ldap_tls_cacert=/etc/openldap/cacerts/ca_certs.pem
ldap_tls_cacertdir=/etc/openldap/cacerts
ldap_id_use_start_tls=false
ldap_user_search_base=ou=Users,dc=domain,dc=com
ldap_group_search_base=ou=Groups,dc=domain,dc=com
debug_level=6
ldap_sudo_search_base=cn=sudo,ou=Groups,dc=domain,dc=com
ldap_chpass_update_last_change=true
ldap_user_shadow_last_change=shadowLastChange
ldap_pwd_policy=shadow
nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
System-Auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service
in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_mkhomedir.so umask=0077
Password Auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok
try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service
in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
session optional pam_mkhomedir.so umask=0077
Thanks
Regards
2018-05-10 11:45 GMT-03:00 Net Warrior <netwarrior863@gmail.com>:
> Hi
>
> From time to time I need to reset user passwords when they forget it so I
> want to force them to change it when they connect over ssh, as long as I
> remember this worked before, ( do not remember which openldap version it was
> a long time ) anyway , how can I force user to change their passwords upon
> ssh connection? or is not possible anymore?
>
>
> Thanks
> Regards
>
>
> On 05/08/2018 09:25 AM, Clément OUDOT wrote:
>>
>>
>> Le 03/05/2018 à 16:23, Net Warrior a écrit :
>>>
>>> Hello there guys, when setting the pwsReset to TRUE I cannot login to
>>> the system anymore, just get the permission denied, then I found this.
>>>
>>> https://github.com/pwm-project/pwm/issues/155
>>>
>>> Did I face that bug or maybe it's something else?
>>
>>
>> It's not a bug. If pwdReset is set to TRUE, the BIND will be successful
>> but you will not be allowed to do another operation but changing
>> password. If your application is doing a SEARCH just after the BIND, you
>> will be denied.
>>
>>
>>
>