Hello list, First of all; sorry if this is on the wrong list, reaches the wrong people, has been asked 1000 times before, or is just a basic or stupid question. Yes, I have searched Google and the mailing list archives. We (succesfully) implemented ppolicy on our 2.4.22 OpenLDAP server. Password constraints are enforced correctly, but letting the accounts expiry correctly seems a bit tricky. When users with an expired account try to log on to an application making a bind using the user's own credentials, everything works as expected; users cannot login, access gets denied. In the slapd logging, the following message is displayed: Jul 21 14:06:25 slapd2.4[27182]: ppolicy_bind: Entry uid=<user> has an expired password: 0 grace logins
But when trying to log into PAM (ssh, su etc.), there is no warning displayed the account is expired. The user is also allowed to login normally. I've been Googling for a couple of days now, and can't really find the culprit. I was especially interested in this thread: http://www.openldap.org/lists/openldap-technical/201003/msg00197.html So, I've set pwdExpireWarning to 1 second less then pwdMaxAge. When I try to bind directly, such as with an ldapsearch, the logging shows Jul 22 15:31:56 slapd2.4[27182]: ppolicy_bind: Setting warning for password expiry for uid=<user> = 4318121 seconds So, that seems to be correct. But, when logging in via PAM, the log does not display the "setting warning". ldap.conf on the clients read: binddn cn=<binddn> base <base> bindpw <secret> <mailto:p4...@ldap> uri ldaps://<master1> <ldaps://<master1>> ldaps:// <ldaps://isibsu0019.iscbeheer.local> <master2> ssl yes bind_timelimit 2 tls_checkpeer yes tls_ciphers TLSv1 tls_cacertdir /etc/ssl/openldap2.4 pam_password crypt pam_check_host_attr yes pam_lookup_policy yes I think this is caused by PAM using the bindDN and then *querying* the user. So the server does not set a password expiry warning. But as I understood, "pam_lookup_policy" should ensure PAM trying to query for an expiry date. How can I configure PAM to display the "Your password will expire in ... days"? /etc/pam.d/system-auth: auth required /lib/security/$ISA/pam_tally2.so onerr=succeed audit auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_localuser.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore service_err=ignore] /lib/security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore service_err=ignore] /lib/security/$ISA/pam_krb5.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so sshd_config shows "UsePAM yes" Again, sorry if this is not a question for this list. Thanks you for any responses, Dannie Obbink -------------------------Disclaimer------------------------------- De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming kregen dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht en een verschoningsrecht. -------------------------------------------------------------------
