Hi Carlos, I used pam-auth-update and Auth-Client-Config, which took care of nsswitch.conf and the PAM files, listed below. I hadn't run it yet in debug mode and am not sure if this is needed as the server seems to be fine. At this point I almost gave up on this specific feature, although I like it a lot.
>From what I was able to find on the web for OpenLDAP for instance, I noticed that implementing password policies involves shadowAccount. I guess I just will have to remember it and stick to - i.e. creating shadowAccount for every user and manage Linux passwords from there. Thank you for your help! George S. Message: 2 > Date: Sat, 22 Dec 2012 02:06:47 +0000 > From: Carlos L <[email protected]> > To: <[email protected]> > Subject: Re: [MLUG] Linux LDAP Client for 389-ds - password policy > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > > > Hi George This is not an answer, but I do have a suggestion. 1) Did you > modify the config files manuall or did you use pam-auth-update. In any case > Try downloading and installing Auth-Client-Config which is a python script > which helps configure nsswitch.conf and pam configuration files. check what > it does differently. 2) Did you happen to run debug and check the log > files(syslog) to see if there's anything erroneous? - Carlos Date: Fri, > 21 Dec 2012 14:42:08 -0500 > From: [email protected] > To: [email protected] > Subject: Re: [MLUG] Linux LDAP Client for 389-ds - password policy > > Hi Carlos, > I just did the last test I can think of - I pointed the CentOS client to > the Ubuntu server. And yes, the client gets the Password Policies without > the shadowAccount objectclass. For instance, I created new user and set up > use-specific policy. Via the CentOS client I can login as this user and > immediately get prompt to change my password "You are required to change > your password immediately." Same procedure on Ubuntu client logs in the > user without any notification. > > > Then, I thought copying over from CentOS to Ubuntu /etc/pam_ldap.conf (on > Ubuntu this is /etc/ldap.conf), /etc/nslcd.conf, /etc/openldap/ldap.cong > (on Ubuntu /etc/ldap/ldap.conf) will change something. Nothing, still the > same old. > > > Here are the requested pam.d files: > Ubuntu:/etc/pam.d/common-account > > # here are the per-package modules (the "Primary" block)account > [success=2 new_authtok_reqd=done default=ignore] pam_unix.so > > account [success=1 default=ignore] pam_ldap.so # here's the fallback > if no module succeedsaccount requisite pam_deny.so > > # prime the stack with a positive return value if there isn't one > already;# this avoids us returning an error just because nothing sets a > success code# since the modules above will each just jump around > > account required pam_permit.so# and here are more > per-package modules (the "Additional" block)# end of pam-auth-update config > > > /etc/pam.d/common-auth# here are the per-package modules (the "Primary" > block)auth [success=2 default=ignore] pam_unix.so nullok_secureauth > [success=1 default=ignore] pam_ldap.so use_first_pass > > # here's the fallback if no module succeedsauth requisite > pam_deny.so# prime the stack with a positive return value if there > isn't one already;# this avoids us returning an error just because nothing > sets a success code > > # since the modules above will each just jump aroundauth required > pam_permit.so# and here are more per-package modules (the > "Additional" block)auth optional pam_cap.so > > # end of pam-auth-update config > /etc/pam.d/common-password# here are the per-package modules (the > "Primary" block)password [success=2 default=ignore] pam_unix.so > obscure sha512 > > password [success=1 user_unknown=ignore default=die] > pam_ldap.so try_first_pass# here's the fallback if no module > succeedspassword requisite pam_deny.so > > # prime the stack with a positive return value if there isn't one > already;# this avoids us returning an error just because nothing sets a > success code# since the modules above will each just jump around > > password required pam_permit.so# and here > are more per-package modules (the "Additional" block)password > optional pam_gnome_keyring.so > > # end of pam-auth-update config > CentOS/etc/pam.d/system-auth-ac > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > > auth required pam_env.so > auth sufficient pam_fprintd.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > > session required pam_unix.so > session optional pam_ldap.so > > /etc/pam.d/passwd-auth-ac > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_ldap.so use_first_pass > > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 type= > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > > session required pam_unix.so > session optional pam_ldap.so > > > One difference is that on Ubuntu I do not have cracklib installed. I plan > to do so later, now I am just testing. > > > I think if Ubuntu LDAP clients joins AD, how does it receive notifications > for password expiration from it. It should be something similar but I can't > figure it out. > > > Thank you, > George S. > > Date: Thu, 20 Dec 2012 23:10:21 +0000 > From: Carlos Lopez <[email protected]>To: <[email protected]> > > Subject: Re: [MLUG] Linux LDAP Client for 389-ds - password > policyMessage-ID: <[email protected]>Content-Type: > text/plain; charset="iso-8859-1" > > > > > HI George, can we see the configuration files. for example the > /etc/pam.d/ and /etc/ldap files - Carlos > > > > > > _______________________________________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: </pipermail/ > mlug-listserv.mlug.ca/attachments/20121222/042b9b9c/attachment-0001.html> > > ------------------------------ > > _______________________________________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca > > > End of mlug Digest, Vol 58, Issue 7 > *********************************** >
_______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
