[prev in list] [next in list] [prev in thread] [next in thread]
List: pamldap
Subject: [pamldap] PAM LDAP SUSE Password Expiration
From: "Urciolo, Kevin \(Mission Systems\)" <Kevin.Urciolo () ngc ! com>
Date: 2005-05-18 20:06:45
Message-ID: 5DBAE64CD0928B44B45B6FAF5B03B902337B93 () XCGV4806 ! northgrum ! com
[Download RAW message or body]
> I am having trouble understand how to configure PAM for password
> expiration. I have a Sun Java Directory Server 5.2 running on Solaris
> 9. I have Solaris 8, SUSE Professional 9.1 and Novell Desktop
> clients. We have a consumer server sitting between the Sun Java
> Directory Server and the clients. So when clients hit the directory,
> they are hitting the read only consumer server.
>
> The version of the PAM_LDAP module on the Novell desktop is 169.
> PAM_UNIX2 is used in the pam.d files. FILES LDAP is used in
> nsswitch.conf over COMPAT mode.
>
> The main question is:
>
> Should I be doing password expiration using the Sun Java Directory
> Server Password policies or ShadowAccount attributes?
> I have not seen the PAM module do password expiration with the
> password policies. However, I have set things up to use ShadowAccount
> attributes.
>
> I have run into some problems. First, I create a new account and give
> a shadowLastChange value of 0. When the user logs into the system
> using SSH the user is forced to change his password. He does so. He
> then logs out and log right back in using SSH again. Sometimes, he is
> again forced to change his password. I am wondering if this is
> because the change occurs in the root server and the replication of
> the change hasn't hit the consumer server yet (which the client is
> pointing to).
>
> Another problem deals with sitting at the workstation and logging in.
> The popup is displayed telling the user to change his password after
> he logs in. You hit two OK windows, then get the box to enter the new
> password (twice). If the user does this, it doesn't work. The user
> gets a message saying the LDAP password is incorrect: try again.
> However, there was not a prompt asking for the original LDAP password.
> The only time the original password was provided was when he initially
> logged in to the system. The only way a user can get by this is to
> enter the old password into the new password boxes... then enter a new
> password if that fails because the password matches a dictionary
> value.
>
> I should also mention that to even get to the point were password
> changes were working at all required I change a ACI that the Sun Java
> Directory Server idsconfig script creates. It creates a deny self ACI
> that specifically mentions the shadowLastChange attribute. This meant
> that the use could change his password, but the shadowLastChange
> attribute was not being updated. So he was required to change his
> password each time he logged in.
>
> Do I need to go down this route, or should I be using the sun password
> policy instead.
>
> Thanks for any help,
>
> Kevin
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6603.0">
<TITLE>PAM LDAP SUSE Password Expiration</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">I am having trouble understand how to configure PAM for \
password expiration. I have a Sun Java Directory Server 5.2 running on Solaris \
9. I have Solaris 8, SUSE Professional 9.1 and Novell Desktop clients. We \
have a consumer server sitting between the Sun Java Directory Server and the \
clients. So when clients hit the directory, they are hitting the read only \
consumer server.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">The version of the PAM_LDAP module on the Novell desktop \
is 169. PAM_UNIX2 is used in the pam.d files. FILES LDAP is used in \
nsswitch.conf over COMPAT mode.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">The main question is:</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Should I be doing password expiration using the Sun Java \
Directory Server Password policies or ShadowAccount attributes?</FONT></P>
<P><FONT SIZE=2 FACE="Arial">I have not seen the PAM module do password expiration \
with the password policies. However, I have set things up to use ShadowAccount \
attributes.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">I have run into some problems. First, I create a \
new account and give a shadowLastChange value of 0. When the user logs into the \
system using SSH the user is forced to change his password. He does so. \
He then logs out and log right back in using SSH again. Sometimes, he is again \
forced to change his password. I am wondering if this is because the change \
occurs in the root server and the replication of the change hasn't hit the consumer \
server yet (which the client is pointing to).</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Another problem deals with sitting at the workstation \
and logging in. The popup is displayed telling the user to change his password \
after he logs in. You hit two OK windows, then get the box to enter the new \
password (twice). If the user does this, it doesn't work. The user gets a \
message saying the LDAP password is incorrect: try again. However, there was \
not a prompt asking for the original LDAP password. The only time the original \
password was provided was when he initially logged in to the system. The only \
way a user can get by this is to enter the old password into the new password \
boxes… then enter a new password if that fails because the password matches a \
dictionary value.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">I should also mention that to even get to the point were \
password changes were working at all required I change a ACI that the Sun Java \
Directory Server idsconfig script creates. It creates a deny self ACI that \
specifically mentions the shadowLastChange attribute. This meant that the use \
could change his password, but the shadowLastChange attribute was not being \
updated. So he was required to change his password each time he logged \
in.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Do I need to go down this route, or should I be using \
the sun password policy instead.</FONT> </P>
<P><FONT SIZE=2 FACE="Arial">Thanks for any help,</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">Kevin</FONT>
</P>
</BODY>
</HTML>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic