On (19/11/14 16:04), Seth Sims wrote:
>Hello everyone,
>
>I am trying to get sssd configured with ldap but having a little bit of
>trouble. I can successfully authenticate and get all user information and
>all that basic jazz. However when I set pwdReset in the user's entry on our
>ldap sssd is not prompting the user to reset their password. It's obvious
>from the sssd log for the domain (part included below) that sssd sees the
>attribute in the password policy control but the message is not making it
>back to PAM.
>
>I have also included the config for the domain including some of my
>attempts to figure out if this is a configuration issue. Am I missing a
>setting? Have I found a bug? Whats going on here?
>
>- Seth
>
>>>>> some Pertinent Versions
>CentOS 6
>sssd 1.12.2
>openldap 2.4.39
>
>>>>>>>>>>>>>>>>>>>>>>>>> auth-people log
>[find_password_expiration_attributes] (0x4000): No password policy
>requested.
>[simple_bind_send] (0x0100): Executing simple bind as: *****
>[simple_bind_send] (0x2000): ldap simple bind sent, msgid = 2
>[sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1],
>ops[0x1410460], ldap[0x1360050]
>[sdap_process_result] (0x2000): Trace: ldap_result found nothing!
>[sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1],
>ops[0x1410460], ldap[0x1360050]
>[sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
>[simple_bind_done] (0x2000): Server returned control
>[1.3.6.1.4.1.42.2.27.8.5.1].
>[simple_bind_done] (0x1000): Password Policy Response: expire [0] grace
>[-1] error [Password must be changed].
>[simple_bind_done] (0x1000): Password was reset. User must set a new
>password.
>[simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set
>[auth_bind_user_done] (0x4000): Found ppolicy data, assuming LDAP password
>policies are active.
>[sdap_handle_release] (0x2000): Trace: sh[0x136a340], connected[1],
>ops[(nil)], ldap[0x1360050], destructor_lock[0], release_memory[0]
>[remove_connection_callback] (0x4000): Successfully removed connection
>callback.
>[be_pam_handler_callback] (0x0100): Backend returned: (0, 12, <NULL>)
>[Success]
>[be_pam_handler_callback] (0x0100): Sending result [12][auth-people]
>[be_pam_handler_callback] (0x0100): Sent result [12][auth-people]
^^^
That's right pam error code.
From pam header files:
#define PAM_NEW_AUTHTOK_REQD 12 /* New authentication token required. */
/* This is normally returned if the */
/* machine security policies require */
/* that the password should be changed */
/* beccause the password is NULL or it */
/* has aged */
How did you test? (with ssh or with "su -")
Could you share log files from pam section as well?
/var/log/secure would be helpfull too.
How did you configure pam stack?
LS
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
