dirsrv, SSH and forcing password change at first login
Claudio Di Nardo
claudio.di.nardo at gmail.com
Tue Sep 27 13:24:51 UTC 2011
Hi all,
I've got four LDAP servers up and running in multi-master configuration.
Everything works fine, including ACIs, password policies, but I've got a
problem in forcing users to change their passwords at first successful
login.
I tried both methods "passwordMustChange: on" on the Password Policy
Container and "passwordExpirationTime: 19700101000000Z" as attribute and
value of the user, but with no luck. User is still able to login even after
a password reset.
I tried to Google for this problem - of course! - I made some modification
to PAM subsystem, (pam.d/* configuration files), nsswitch.conf and
sshd_config, (challenge-response auth).
I even tried to dig for some useful and unknown to me PAM module, but
nothing did the trick, so I reverted everything to the original
configuration.
I'm sure the Password Policy works because if I try to forcibly change my
password as an LDAP SSH-connected user - with passwd - it applies all the
checks I setup in Password Policy, (syntax and all the rest). But why, then,
this particular feature doesn't work?
Please can you give me a clue, if you have it? :)
PAM/NSS could be the responsible?
Here are some specs of the software used:
RHEL Server 5.4 "Tikanga"
Kernel 2.6.18-164.el5
DS 8.2.0-2
PAM, SSHD, and all the rest are factory-default in Tikanga :)
Thanks
Claudio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20110927/3fdf4c11/attachment.htm>
More information about the Pam-list
mailing list