[Fedora-directory-users] pam_ldap and password policy

[jclowser at unitedmessaging.com]

I believe when you set that feature on the directory server, what 
actually happens is that the first time a user binds to the directory, a 
v3 control/message is sent back to the client (in this case, pam_ldap) 
saying effectively that the password must be changed.  BTW - how would 
pam_ldap force the user to change their password - can it do it itself, 
or would it require the user to log in and run passwd or something?  It 
may not be possible.

If the client is binding as a v2 client, or doesn't know how to 
interpret these v3 messages, it will be ignored.  Many protocols _can't_ 
make use of this, because they have no mechanism for changing passwords 
(i.e. POP, IMAP, SMTP, HTTP, etc are ones that come to mind).  I don't 
use this feature because the danger is that if the first thing a user 
logs into is via one of these protocols, and this message is ignored, 
the result of not changing their password takes effect (what does FDS 
do, btw?  Prevent the account from binding again, effectively locking 
the user out?  Does it allow some number of binds before it takes 
effect? I can't remember cause I never use it :)  )

If I'm wrong, I'm sure someone will correct me :)

 - Jeff

Jeff Falgout wrote:

>Has anyone been able to get pam_ldap to honor the password policy set in
>fedora-ds?
>
>I've tried RHEL3 and RHEL4 clients, and both just ignore settings such as
>"User must change password after reset". Is it a misconfiguration on my
>part, or is that the appropriate behavior of pam_ldap.
>
>Thanks
>Jeff
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>