[Fedora-directory-users] pam_ldap and password policy

[Pete Rowley]

> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com 
> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf 
> Of Jeff Falgout
> Sent: Tuesday, June 14, 2005 12:45 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: RE: [Fedora-directory-users] pam_ldap and password policy
> 
> Pete Rowley said:
> >
> >
> >> -----Original Message-----
> >> From: fedora-directory-users-bounces at redhat.com
> >> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of 
> >> jclowser at unitedmessaging.com
> >> Sent: Tuesday, June 14, 2005 11:26 AM
> >> To: General discussion list for the Fedora Directory 
> server project.
> >> Subject: Re: [Fedora-directory-users] pam_ldap and password policy 
> >> changed.  BTW - how would pam_ldap force the user to change their 
> >> password - can it do it itself, or would it require the 
> user to log 
> >> in and run passwd or something?  It may not be possible.
> >>
> >
> > PAM has the necessary protocol for password changes during 
> logon - in 
> > fact PAM gets called by passwd.  However, I do not know off hand 
> > whether pam_ldap implements those functions.
> >
> 
> It seems that pam_ldap is checking the password policy -
> 
> I've looked at ldap.conf so many times, I've overlooked this setting:
> 
> # Search the root DSE for the password policy (works # with 
> Netscape Directory Server) pam_lookup_policy yes
> 
> Now, when i login to the terminal after a password reset, the 
> login succeeds, but a messages flashes on the screen - 
> something about password after reset - and I'm taken back to 
> the login prompt.
> 
> Any ideas?

Sounds like pam_ldap doesn't implement this properly - it should be
prompting you like passwd had been executed.  I'll dig out that source code
when I get a minute or two.