dirsrv, SSH and forcing password change at first login

Joe Friedeggs friedeggs44 at hotmail.com
Wed Sep 28 01:48:12 UTC 2011

I had the same issue on Red Hat (see https://www.redhat.com/archives/pam-list/2009-October/msg00031.html).  I found a couple of work-arounds, but the ultimate solution was set the following in /etc/ldap.conf (nss/pam ldap config):

pam_password exop


Date: Tue, 27 Sep 2011 15:24:51 +0200
Subject: dirsrv, SSH and forcing password change at first login
From: claudio.di.nardo at gmail.com
To: pam-list at redhat.com

Hi all,

I've got four LDAP servers up and running in multi-master configuration. Everything works fine, including ACIs, password policies, but I've got a problem in forcing users to change their passwords at first successful login.

I tried both methods "passwordMustChange: on" on the Password Policy Container and "passwordExpirationTime: 19700101000000Z" as attribute and value of the user, but with no luck. User is still able to login even after a password reset.

I tried to Google for this problem - of course! - I made some modification to PAM subsystem, (pam.d/* configuration files), nsswitch.conf and sshd_config, (challenge-response auth). 
I even tried to dig for some useful and unknown to me PAM module, but nothing did the trick, so I reverted everything to the original configuration.

I'm sure the Password Policy works because if I try to forcibly change my password as an LDAP SSH-connected user - with passwd - it applies all the checks I setup in Password Policy, (syntax and all the rest). But why, then, this particular feature doesn't work?

Please can you give me a clue, if you have it? :)
PAM/NSS could be the responsible?

Here are some specs of the software used:

RHEL Server 5.4 "Tikanga"
Kernel 2.6.18-164.el5
DS 8.2.0-2

PAM, SSHD, and all the rest are factory-default in Tikanga :)


Pam-list mailing list
Pam-list at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20110927/bdee4396/attachment.htm>

More information about the Pam-list mailing list