Here is my ldap.conf file
host server
base dc=mydomain,dc=org
ldap_version 3
port 389
scope sub
uri ldap://server.fras.frb.org/
pam_filter objectClass=posixAccount
pam_login_attribute uid
pam_password md5
pam_check_host_attr yes
In my ldap I select a user and set the shadowLastChanged attribute to 0
and that seems to expire the password for the given user; however, when I
ssh into the system I get disconnected right away.
My slapd.conf file appears as follows:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
access to dn=".*,dc=mydomain,dc=org" attr=userPassword
by self write
by anonymous auth
by * none
access to *
by * read
loglevel 256
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
database bdb
suffix "dc=mydomain,dc=org"
#
# Define Rootdn
#
rootdn "cn=Manager,dc=mydomain,dc=org"
rootpw Something I made up...
#
# Data store
#
directory /var/lib/mydomain.org
mode 0600
index objectClass eq
index cn,uid eq
index uidNumber eq
index gidNumber eq
Here is my /etc/pam.d/sshd
auth required /lib/security/pam_nologin.so
auth required /lib/security/pam_unix2.so
auth required /lib/security/pam_unix.so shadow nullok
use_first_pass
account required /lib/security/pam_unix2.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_unix2.so nullok use_authtok
shadow
session required /lib/security/pam_unix2.so
And finally here is my /etc/security/pam_unix2.conf
#
# Example:
# auth: nullok
# account:
# password: nullok blowfish crypt_rounds=8
# session: none
#
auth: use_ldap nullok
account: use_ldap
password: use_ldap nullok
session: none
Any idea what I might be doing wrong. I know that changing the ACLs will
affect the behavior. I have successfully modified the ACLs so that
shadowLastChanged is completely ignored to the point where I am
disconnected if set to 0 and ok if set to -1. However, I can not seem to
find the magic that enforces the change password.
Any thoughts?
By the way thanks Sal, I did modify my ACLs to your suggestion for
testing. I have also looked at the version of pam_ldap.so that I am
using. I have pam_ldap-166.
Thanks!
Eric Sammons
(804)697-3925
FRIT - Unix Systems
"Sal Torres/SBC Inc." <[EMAIL PROTECTED]>
Sent by: Linux on 390 Port <[EMAIL PROTECTED]>
12/19/2003 04:06 PM
Please respond to Linux on 390 Port
To: [EMAIL PROTECTED]
cc:
Subject: Re: Anyone using OpenLDAP with SLES8? Question
with...
*** Reply to note of Thu, 18 Dec 2003 10:18:41 -0500 (EST/CDT)
*** by [EMAIL PROTECTED]
I did a couple of tests and it seems to work for me (by default we use
SecurID for the authentication part). You may need a newer pam_ldap
version
(I am using pam_ldap-164).
The ACL depends on if you are using anonymous bind or a proxy user
(rootbinddn). You can start with:
access to dn="..dc=com" attr=userPassword
by self write
by anonymous auth
by * none
access to *
by * read
and change as needed.
SLES8 includes the CPU tool to add/change/delete users and groups
Sal
Eric Sammons <[EMAIL PROTECTED]> writes:
>I have done that and it sort of worked. It seemed to take on the
>characteristics there after of a ACL problem. By changing the acls I get
>different behavior; however, I can't seem to find the right acls that
>cause the implementation to work.
>
>Do you have this working? Can I ask what your LDAP ACLs look like?
>
>Thanks!
>Eric Sammons
>(804)697-3925
>FRIT - Unix Systems
>
>
>
>
>
>"Sal Torres/SBC Inc." <[EMAIL PROTECTED]>
>Sent by: Linux on 390 Port <[EMAIL PROTECTED]>
>12/18/2003 10:03 AM
>Please respond to Linux on 390 Port
>
> To: [EMAIL PROTECTED]
> cc:
> Subject: Anyone using OpenLDAP with SLES8? Question with
>Passwords
>
>Try to set the shadow last change to zero. pam_ldap is supposed to
>expire the account:
>...
> if (session->info->shadow.lstchg == 0)
> {
> /*
> * Adhere to convention of a shadow last change
> * value of 0 implying that the password has
> * expired. Apparently this is documented in the
> * shadow suite (libmisc/isexpired.c).
> */
> session->info->password_expired = 1;
>...
>
>sal
