[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: dirsrv, SSH and forcing password change at first login



Hi all, (and hi Joe :P),

I finally got it working!
Setting password policy on a subtree or on a particular user is not enough to make it active: you have to enable that even on cn=config of your LDAP tree.
In particular, in my configuration I have set those parameters on cn=config

----------------------------------------------------------
passwordCheckSyntax: on
passwordExp: on
passwordInHistory: 10
passwordisglobalpolicy: off
passwordLockout: on
passwordStorageScheme: SHA512
passwordMustChange: on
----------------------------------------------------------

Then, I leave to each "per sub-tree" or "per user" setting the duty to set all others in-deep policies, (e.g.: min password length 8 chars, min alpha chars, min digits, min caps...), which are requested.
Plus, I updated the nss_ldap package to the latest release: apparently, in fact, RHEL 5.4 default package of nss_ldap suffers of a bug in passwords expiring, as explained here - http://rhn.redhat.com/errata/RHBA-2011-0097.html.
Now I got correctly those messages

user ldap-client:[/root]# ssh ldap-user ldap-client
Password:
Your LDAP password will expire in 1 hour.
Last login: Thu Sep 29 15:21:58 2011 from xxx.xxx.xxx.xxx

Remote kickstart on 2011-03-07

ldap-user ldap-client:[/home/ldap-user]#

as well as

user ldap-client:[/root]# ssh ldap-user ldap-client
Password:
You are required to change your LDAP password immediately.
Enter login(LDAP) password:

Hope this could be useful for others.
Cheers! :)

Claudio

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]