[Fedora-directory-users] Account Expiration Warning

Jamie McKnight warthog at warthogsolutions.com
Wed Dec 21 16:32:46 UTC 2005 

On Wed, 2005-12-21 at 09:08 -0600, Jim Summers wrote:
> Hello List,
> 
> Having been troubled in the past with account expiration on an 
> iplanet5.1 server with linux clients,  I wanted to get this working 
> during my evaluation / testing of FDS.
> 
> I have enabled the password policy on the FDS and set the ldap.conf 
> entries necessary to get this working.   Upon doing this and then 
> logging in and out, new fields appear in the people container for that 
> account.  Such as passwordexpirationtime, passwordretrycount, etc... All 
> is working, such as, a passwd change will update the necessary fields 
> for the correct length of time reset counts, etc...
> 
> When testing the password expiration warning I stumbled onto the issue, 
> that I do not get an actual "Your password will expire in XX days" 
> message.  I do see where the field, passwordexpwarned is set to "1", but 
> I do not ever get an actual message.
> 
> The way I am testing is to set the policy to warn the user, 3 days in 
> advance.  Then I set the passwordexpiratontime to a date less than three 
> days away.  Then attempt to log in.  Login is ok, but no warning of the 
> impending doom about to strike the account.
> 
> If I actually set the expirationtime to a time less than the current, 
> then I can login until passwordusergracetime is GE the allowed number of 
> logins after the password expiration.  At which time I get a message 
> that the password expired and it must be changed immediately, at which 
> time the connection immediately closes and the password cannot be changed!
> 
> No log entries in error, so I am not sure what I have overlooked?
> 

I just tested this against FDS 1.0.1 with CentOS 4.2 as the client.  I
can get it to spit out the "Your LDAP password will expire in blah days"
message.  How is your /etc/ldap.conf and /etc/pam.d/system-auth
and /etc/pam.d/sshd files set up?  Make sure you have 

pam_lookup_policy yes

in /etc/ldap.conf, and that your pam stack is set up for pam_ldap
authentication.  Also, if you are using a proxy agent, the proxy agent
must not be able to see the userPassword attribute, or you will end up
authenticating via pam_unix, and not pam_ldap.  If you have all of this
setup this way already, I am not sure why you don't see the warning.

In my testing however, I did notice something happening that should not
be.  I set the time in passwordexpirationtime to tomorrow, and the
password policy is set to warn 14 days before the password expires.  On
my first login I get the message:

Your LDAP password will expire in 14 days.

Which is not correct, it should have said '1 day'.  After this message
is sent, my next login shows this:

Your LDAP password will expire in 13 days.

Which is still not correct.  Looking at the entry at this point shows
that it reset the passwordexpirationtime to something in the future
(roughly looks like 14 days, which matches what I put in for warn days),
which is also not something that should be done.  passwordexpirationtime
attribute should only be modified when the user actually
modifies/changes their password.

Not sure how to start helping with getting info to the right folks to
help troubleshoot/fix this, but I am willing to help out as much as I
can.

I know this works in SunOne Directory Server 5.2 with RHEL3/4 and
Solaris 8/9 clients so I am pretty certain this is not an issue on the
client end (although I have been know to be wrong on occasion 8-).

Jamie

More information about the Fedora-directory-users mailing list