Jeff Medcalf wrote:
Jim,
I haven't tried this on FDS, but given that it has the same base as
SunONE and the old iPlanet, I would assume it works the same as those
directory servers. In that case, and assuming that you are using
pam_ldap, go ahead and use the password policy: pam_ldap knows about it
and works correctly with it.
I am a little confused on what is actually being used. I see the
following entries in machines here:
=========================================
Dec 19 09:34:22 XXXXXX sshd[14463]: PAM rejected by account
configuration[13]: User account has expired
Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnecting to LDAP server...
Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnected to LDAP server
after 1 attempt(s)
=========================================
So I am not sure as to whether pam_ldap or nss_ldap is in use. I guess
they could be one in the same?
and system-auth has:
======================================
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
======================================
So I would think it is pam_ldap.
I am going to double-check the pam config to make sure it is still
following recommendations.
Oh, and if you are using the pam_ldap that comes with Solaris, you
might try switching to the open source version: the Sun version is
terribly buggy and horrible.
Will do. The majority are linux clients.
On Dec 16, 2005, at 3:06 PM, Jim Summers wrote:
Hello List,
Being in the midst of evaluating and hopefully migrating to FDS
soon. I have stumbled onto a odd problem.
My user information is kept in the People container. We have been
using shadowExpire / shadowLastChange fields.
This all seems to work except when a user's account is ready to
expire and is prompted to change their password. Using passwd, the
user can change the password, but the system continues to prompt for
a new password upon each successive login.
Looking at the data, the shadowExpire / LastChange never get
updated. I am also not seeing any errors being generated in the
logs. I can manually update those fields and the problem goes away.
But I guess I thought passwd / nss_ldap / pam would update those
fields as needed.
Looking in the docs, all I see is configuring a password policy. But
that seems to be directed at users actually connecting to the
directory via console / ldapsearch, etc....
Initially I thought I was having some ACI issues but I am really not
sure. It could be that I need to drop the shadow stuff and configure
the password policy?
Advice or suggestions on what I am missing or where I have gone wrong?
TIA
--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Jeff Medcalf
jeff@xxxxxxxxxxxxx
--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------
|
