Hi George This is not an answer, but I do have a suggestion. 1) Did you modify
the config files manuall or did you use pam-auth-update. In any case Try
downloading and installing Auth-Client-Config which is a python script which
helps configure nsswitch.conf and pam configuration files. check what it does
differently. 2) Did you happen to run debug and check the log files(syslog) to
see if there's anything erroneous? - Carlos Date: Fri, 21 Dec 2012 14:42:08
-0500
From: [email protected]
To: [email protected]
Subject: Re: [MLUG] Linux LDAP Client for 389-ds - password policy
Hi Carlos,
I just did the last test I can think of - I pointed the CentOS client to the
Ubuntu server. And yes, the client gets the Password Policies without the
shadowAccount objectclass. For instance, I created new user and set up
use-specific policy. Via the CentOS client I can login as this user and
immediately get prompt to change my password "You are required to change your
password immediately." Same procedure on Ubuntu client logs in the user without
any notification.
Then, I thought copying over from CentOS to Ubuntu /etc/pam_ldap.conf (on
Ubuntu this is /etc/ldap.conf), /etc/nslcd.conf, /etc/openldap/ldap.cong (on
Ubuntu /etc/ldap/ldap.conf) will change something. Nothing, still the same old.
Here are the requested pam.d files:
Ubuntu:/etc/pam.d/common-account
# here are the per-package modules (the "Primary" block)account [success=2
new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so # here's the fallback if no
module succeedsaccount requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;#
this avoids us returning an error just because nothing sets a success code#
since the modules above will each just jump around
account required pam_permit.so# and here are more
per-package modules (the "Additional" block)# end of pam-auth-update config
/etc/pam.d/common-auth# here are the per-package modules (the "Primary"
block)auth [success=2 default=ignore] pam_unix.so nullok_secureauth
[success=1 default=ignore] pam_ldap.so use_first_pass
# here's the fallback if no module succeedsauth requisite
pam_deny.so# prime the stack with a positive return value if there isn't one
already;# this avoids us returning an error just because nothing sets a success
code
# since the modules above will each just jump aroundauth required
pam_permit.so# and here are more per-package modules (the
"Additional" block)auth optional pam_cap.so
# end of pam-auth-update config
/etc/pam.d/common-password# here are the per-package modules (the "Primary"
block)password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so
try_first_pass# here's the fallback if no module succeedspassword
requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;#
this avoids us returning an error just because nothing sets a success code#
since the modules above will each just jump around
password required pam_permit.so# and here are
more per-package modules (the "Additional" block)password optional
pam_gnome_keyring.so
# end of pam-auth-update config
CentOS/etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_ldap.so
/etc/pam.d/passwd-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_ldap.so
One difference is that on Ubuntu I do not have cracklib installed. I plan to do
so later, now I am just testing.
I think if Ubuntu LDAP clients joins AD, how does it receive notifications for
password expiration from it. It should be something similar but I can't figure
it out.
Thank you,
George S.
Date: Thu, 20 Dec 2012 23:10:21 +0000
From: Carlos Lopez <[email protected]>To: <[email protected]>
Subject: Re: [MLUG] Linux LDAP Client for 389-ds - password policyMessage-ID:
<[email protected]>Content-Type: text/plain;
charset="iso-8859-1"
HI George, can we see the configuration files. for example the /etc/pam.d/ and
/etc/ldap files - Carlos
_______________________________________________
mlug mailing list
[email protected]
https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
_______________________________________________
mlug mailing list
[email protected]
https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
