[Fedora-directory-users] pam_ldap and password policy
Pete Rowley
pete at openrowley.com
Tue Jun 14 20:06:24 UTC 2005
> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com
> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf
> Of Jeff Falgout
> Sent: Tuesday, June 14, 2005 12:45 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: RE: [Fedora-directory-users] pam_ldap and password policy
>
> Pete Rowley said:
> >
> >
> >> -----Original Message-----
> >> From: fedora-directory-users-bounces at redhat.com
> >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of
> >> jclowser at unitedmessaging.com
> >> Sent: Tuesday, June 14, 2005 11:26 AM
> >> To: General discussion list for the Fedora Directory
> server project.
> >> Subject: Re: [Fedora-directory-users] pam_ldap and password policy
> >> changed. BTW - how would pam_ldap force the user to change their
> >> password - can it do it itself, or would it require the
> user to log
> >> in and run passwd or something? It may not be possible.
> >>
> >
> > PAM has the necessary protocol for password changes during
> logon - in
> > fact PAM gets called by passwd. However, I do not know off hand
> > whether pam_ldap implements those functions.
> >
>
> It seems that pam_ldap is checking the password policy -
>
> I've looked at ldap.conf so many times, I've overlooked this setting:
>
> # Search the root DSE for the password policy (works # with
> Netscape Directory Server) pam_lookup_policy yes
>
> Now, when i login to the terminal after a password reset, the
> login succeeds, but a messages flashes on the screen -
> something about password after reset - and I'm taken back to
> the login prompt.
>
> Any ideas?
Sounds like pam_ldap doesn't implement this properly - it should be
prompting you like passwd had been executed. I'll dig out that source code
when I get a minute or two.
More information about the Fedora-directory-users
mailing list