dirsrv, SSH and forcing password change at first login
Claudio Di Nardo
claudio.di.nardo at gmail.com
Thu Sep 29 13:54:01 UTC 2011
Hi all, (and hi Joe :P),
I finally got it working!
Setting password policy on a subtree or on a particular user is not enough
to make it active: you have to enable that even on cn=config of your LDAP
tree.
In particular, in my configuration I have set those parameters on cn=config
----------------------------------------------------------
passwordCheckSyntax: on
passwordExp: on
passwordInHistory: 10
passwordisglobalpolicy: off
passwordLockout: on
passwordStorageScheme: SHA512
passwordMustChange: on
----------------------------------------------------------
Then, I leave to each "per sub-tree" or "per user" setting the duty to set
all others in-deep policies, (e.g.: min password length 8 chars, min alpha
chars, min digits, min caps...), which are requested.
Plus, I updated the nss_ldap package to the latest release: apparently, in
fact, RHEL 5.4 default package of nss_ldap suffers of a bug in passwords
expiring, as explained here -
http://rhn.redhat.com/errata/RHBA-2011-0097.html.
Now I got correctly those messages
user at ldap-client:[/root]# ssh ldap-user at ldap-client
Password:
Your LDAP password will expire in 1 hour.
Last login: Thu Sep 29 15:21:58 2011 from xxx.xxx.xxx.xxx
Remote kickstart on 2011-03-07
ldap-user at ldap-client:[/home/ldap-user]#
as well as
user at ldap-client:[/root]# ssh ldap-user at ldap-client
Password:
You are required to change your LDAP password immediately.
Enter login(LDAP) password:
Hope this could be useful for others.
Cheers! :)
Claudio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20110929/ac99468b/attachment.htm>
More information about the Pam-list
mailing list