On Monday, 16 August 2010 23:02:41 Wei Gao wrote: > Hello Buchan > > I set pwdReset manually and it worked. Thank you. > > For my issue regarding pwdExpireWarning not displaying warning message when > I ssh into my systems, I still can't figure out what I did wrong. Here is > my default policy: > > dn: cn=default,ou=Policies,dc=example,dc=company > objectClass: top > objectClass: device > objectClass: pwdPolicy > cn: default > pwdAllowUserChange: TRUE > pwdAttribute: userPassword > pwdCheckQuality: 2 > pwdExpireWarning: 1209600 > pwdFailureCountInterval: 0 > pwdGraceAuthNLimit: 0 > pwdInHistory: 24 > pwdLockout: TRUE > pwdLockoutDuration: 0 > pwdMaxAge: 5184000 > pwdMaxFailure: 3 > pwdMinLength: 12 > pwdMustChange: TRUE > pwdSafeModify: FALSE
So, test your policy with ldapwhoami (with appropriate options, see man page), with -e ppolicy option to display ppolicy controls in the response. > pwdMaxAge works perfectly and so does every other attribute, except > pwdExpireWarning. pwdExpireWarning is the only one I am having issues > now. Not sure what I did wrong. Do you need to know any other details? If ldapwhoami with -e ppolicy works correctly, your problem is your PAM stack. This will not be the only pam_ldap feature (host-based authorization with pam_check_host_attr will not be adhered to) that doesn't work due to incorrect PAM authorization settings. See my previous reply: You need to supply your PAM configuration if anyone is to assist you further. > > > expire in 12 days, how come I don't see a warning message when I ssh to > > > > my > > > > > system? > > > > Misconfigured PAM stack probably (authorization, IOW account lines). > > There have > > been previous solutions in previous threads on this topic, and without > > any details of your system it isn't possible to assist further. Regards, Buchan
