[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    [pamldap] Password policy control not sent when pam_ldap uses md5
From:       joefriedeggs <friedeggs44 () hotmail ! com>
Date:       2009-12-09 4:25:59
Message-ID: 26702389.post () talk ! nabble ! com
[Download RAW message or body]


Posted similar message to LDAP and PAM lists.
 
I am seeing some strange issues when I attempt to use MD5 password hashing
from my Red Hat Linux servers.  I am running OpenLDAP client
(openldap-clients.2.3.43-3) with PAM (pam-0.99.6.2-6) on RHel5, and using
the ppolicy overlay in the OpenLDAP server.  
 
I have the following:
 
In /etc/ldap.conf:
pam_password md5
pam_lookup_policy yes
 
 
In /etc/pam.d/system-auth:
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
lcredit=-1 ucredit=-1 dcredit=-1 type=LDAP
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
 

 
Here's the problem:
 
With this configuration, I NEVER see the client send the
passwordPolicyRequest Request Control message (controlType
1.3.6.1.4.1.42.2.27.8.5.1) in any LDAP request, thus the LDAP server never
returns the password status (expired, etc.).  I've also noticed that the
password in LDAP shows something like "{crypt}Fe9RyjhrMaom.".  So, as far as
the users are concerned, their passwords never expire.
 
 
IF I change to use clear-text instead of MD5, I see the Request Control in
the LDAP bind from the Linux LDAP client, and password expiry notification
works fine.
 
OR, IF I change the password in LDAP manually to MD5 (using ldapadmin tool),
where it shows something like "{MD5}rFyeI1Li1xieh1hj2lRvRw==", the Request
Control is sent from the client.
 
Any ideas?  Is this a known bug?
 
Thanks,
Joe
-- 
View this message in context: \
http://old.nabble.com/Password-policy-control-not-sent-when-pam_ldap-uses-md5-tp26702389p26702389.html
 Sent from the PAM LDAP mailing list archive at Nabble.com.


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic