[Fedora-directory-users] ShadowPassword / ShadowExpire

[Jim Summers]

Jeff Medcalf wrote:
> Jim,
> 
> I haven't tried this on FDS, but given that it has the same base as  
> SunONE and the old iPlanet, I would assume it works the same as those  
> directory servers.  In that case, and assuming that you are using  
> pam_ldap, go ahead and use the password policy: pam_ldap knows about  it 
> and works correctly with it.

I am a little confused on what is actually being used.  I see the 
following entries in machines here:
=========================================
Dec 19 09:34:22 XXXXXX sshd[14463]: PAM rejected by account 
configuration[13]: User account has expired
Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnecting to LDAP server...
Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnected to LDAP server 
after 1 attempt(s)
=========================================

So I am not sure as to whether pam_ldap or nss_ldap is in use.  I guess 
they could be one in the same?

and system-auth has:
======================================
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
======================================

So I would think it is pam_ldap.

I am going to double-check the pam config to make sure it is still 
following recommendations.

> 
> Oh, and if you are using the pam_ldap that comes with Solaris, you  
> might try switching to the open source version: the Sun version is  
> terribly buggy and horrible.

Will do.  The majority are linux clients.

> 
> On Dec 16, 2005, at 3:06 PM, Jim Summers wrote:
> 
>> Hello List,
>>
>> Being in the midst of evaluating and hopefully migrating to FDS  
>> soon.  I have stumbled onto a odd problem.
>>
>> My user information is kept in the People container.  We have been  
>> using shadowExpire / shadowLastChange fields.
>>
>> This all seems to work except when a user's account is ready to  
>> expire and is prompted to change their password.  Using passwd, the  
>> user can change the password, but the system continues to prompt  for 
>> a new password upon each successive login.
>>
>> Looking at the data, the shadowExpire / LastChange never get  
>> updated.  I am also not seeing any errors being generated in the  
>> logs.  I can manually update those fields and the problem goes  away.  
>> But I guess I thought passwd / nss_ldap / pam would update  those 
>> fields as needed.
>>
>> Looking in the docs, all I see is configuring a password policy.   But 
>> that seems to be directed at users actually connecting to the  
>> directory via console / ldapsearch, etc....
>>
>> Initially I thought I was having some ACI issues but I am really  not 
>> sure.  It could be that I need to drop the shadow stuff and  configure 
>> the password policy?
>>
>> Advice or suggestions on what I am missing or where I have gone wrong?
>>
>>
>> TIA
>> -- 
>> Jim Summers
>> School of Computer Science-University of Oklahoma
>> -------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
> 
> -- 
> Jeff Medcalf
> jeff at caerdroia.org
> 
> 

-- 
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------