[Fedora-directory-users] Ubuntu not enforcing password policies

[John A. Sullivan III]

Hello, all.  We're continuing to dive ever deeper into DS.  Our thanks
to the developers for such a powerful product.

Our integration with the RedHat family has gone well but now we're
working on Ubuntu.  Most is working well but we are finding Ubuntu is
not enforcing password policies.  For example, we require a user to
change their password after a reset.  When a user logs into a RedHat
system, they are prompted for the change.  However, Ubuntu just lets
them right in again and again with the same reset password.

Any pointers on what to look for to fix this in our configuration before
we scour the world for a solution? We've already done quite a bit of
googling.

We've tried enabling pam_lookup_policy but that didn't
work.  /etc/pam.d/common-password reads:

password        requisite                       pam_cracklib.so retry=3 minlen=8 difok=3
password        [success=2 default=ignore]      pam_unix.so obscure use_authtok try_first_pass sha512
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so

# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so

We've also tried disabling that last pam_permit.so.  That didn't help.  Where should we look? Thanks - John

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society