Re: Re: pwdMustChange and pwdExpireWarning

Wed, 18 Aug 2010 14:34:48 -0700 

Hello Buchan
I am running the rpm package openldap server 2.3 that comes with CentOS 5.4 and my ldap client is CentOS 4. Looks like there is no ldapwhoami -e ppolicy option on CentOS4 client, as you can see below. I also copy and paste the client's /etc/pam.d/system-auth below. 


[us...@ldapclient ~]$ ldapwhoami -e ppolicy
Invalid general control name: ppolicy
Issue LDAP Who am I? operation to request user's authzid

usage: ldapwhoami [options]
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (an RFC 2254 Filter)
[!]authzid=<authzid> ("dn:<dn>" or "u:<user>")
[!]manageDSAit
[!]noop
[!]postread[=<attrs>] (a comma-separated attribute list)
[!]preread[=<attrs>] (a comma-separated attribute list)
-h host LDAP server
-H URI LDAP Uniform Resource Indentifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-O props SASL security properties
-o <opt>[=<optparam>] general options
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)



[us...@ldapclient ~]$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_localuser.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet

account [default=bad success=ok user_unknown=ignore]  
/lib/security/$ISA/pam_ldap.so

account required /lib/security/$ISA/pam_permit.so

#password requisite /lib/security/$ISA/pam_cracklib.so retry=3

password requisite /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=-1  
ucredit=-1 dcredit=-1 ocredit=-1
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5  
shadow

password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so



Do you see anything configured wrong in my /etc/pam.d/system-auth? Thanks  
so much for your help with this issue.


Regards
Wei



On Aug 17, 2010 4:43am, Buchan Milne <[email protected]> wrote:

On Monday, 16 August 2010 23:02:41 Wei Gao wrote:




> Hello Buchan




>




> I set pwdReset manually and it worked. Thank you.




>




> For my issue regarding pwdExpireWarning not displaying warning message  
when




> I ssh into my systems, I still can't figure out what I did wrong. Here  
is




> my default policy:




>




> dn: cn=default,ou=Policies,dc=example,dc=company




> objectClass: top




> objectClass: device




> objectClass: pwdPolicy




> cn: default




> pwdAllowUserChange: TRUE




> pwdAttribute: userPassword




> pwdCheckQuality: 2




> pwdExpireWarning: 1209600




> pwdFailureCountInterval: 0




> pwdGraceAuthNLimit: 0




> pwdInHistory: 24




> pwdLockout: TRUE




> pwdLockoutDuration: 0




> pwdMaxAge: 5184000




> pwdMaxFailure: 3




> pwdMinLength: 12




> pwdMustChange: TRUE




> pwdSafeModify: FALSE










So, test your policy with ldapwhoami (with appropriate options, see man  
page),




with -e ppolicy option to display ppolicy controls in the response.







> pwdMaxAge works perfectly and so does every other attribute, except




> pwdExpireWarning. pwdExpireWarning is the only one I am having issues




> now. Not sure what I did wrong. Do you need to know any other details?







If ldapwhoami with -e ppolicy works correctly, your problem is your PAM  
stack.




This will not be the only pam_ldap feature (host-based authorization with




pam_check_host_attr will not be adhered to) that doesn't work due to  
incorrect




PAM authorization settings. See my previous reply:







You need to supply your PAM configuration if anyone is to assist you  
further.







> > > expire in 12 days, how come I don't see a warning message when I  
ssh to




> >




> > my




> >




> > > system?




> >




> > Misconfigured PAM stack probably (authorization, IOW account lines).




> > There have




> > been previous solutions in previous threads on this topic, and without




> > any details of your system it isn't possible to assist further.










Regards,




Buchan


























					Reply via email to