[Fedora-directory-users] Account Expiration Warning
Jim Summers
jsummers at bachman.cs.ou.edu
Wed Dec 21 18:27:04 UTC 2005
Jamie McKnight wrote:
> On Wed, 2005-12-21 at 09:08 -0600, Jim Summers wrote:
>
>>Hello List,
>>
>>Having been troubled in the past with account expiration on an
>>iplanet5.1 server with linux clients, I wanted to get this working
>>during my evaluation / testing of FDS.
>>
>>I have enabled the password policy on the FDS and set the ldap.conf
>>entries necessary to get this working. Upon doing this and then
>>logging in and out, new fields appear in the people container for that
>>account. Such as passwordexpirationtime, passwordretrycount, etc... All
>>is working, such as, a passwd change will update the necessary fields
>>for the correct length of time reset counts, etc...
>>
>>When testing the password expiration warning I stumbled onto the issue,
>>that I do not get an actual "Your password will expire in XX days"
>>message. I do see where the field, passwordexpwarned is set to "1", but
>>I do not ever get an actual message.
>>
>>The way I am testing is to set the policy to warn the user, 3 days in
>>advance. Then I set the passwordexpiratontime to a date less than three
>>days away. Then attempt to log in. Login is ok, but no warning of the
>>impending doom about to strike the account.
>>
>>If I actually set the expirationtime to a time less than the current,
>>then I can login until passwordusergracetime is GE the allowed number of
>>logins after the password expiration. At which time I get a message
>>that the password expired and it must be changed immediately, at which
>>time the connection immediately closes and the password cannot be changed!
>>
>>No log entries in error, so I am not sure what I have overlooked?
>>
>
>
> I just tested this against FDS 1.0.1 with CentOS 4.2 as the client. I
> can get it to spit out the "Your LDAP password will expire in blah days"
> message. How is your /etc/ldap.conf and /etc/pam.d/system-auth
=SYSTEM_AUTH=
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
=============
> and /etc/pam.d/sshd files set up?
=SSHD=
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_selinux.so
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
=============
Make sure you have
>
> pam_lookup_policy yes
Verified.
>
> in /etc/ldap.conf, and that your pam stack is set up for pam_ldap
> authentication. Also, if you are using a proxy agent, the proxy agent
> must not be able to see the userPassword attribute, or you will end up
> authenticating via pam_unix, and not pam_ldap.
This could be the problem. I am using a proxy and not sure how to test
what you are saying. If I do an ldasearch such as:
ldapsearch -x -ZZ '(uid=tulsa)'
then that should bind via the entries in ldap.conf hence use the
config'd proxy, correct? Then if that search shows a userPassword then
that would confirm pam_unix usage? Not sure how to stop it if it is
using pam_unix?
Thanks,
jim
If you have all of this
> setup this way already, I am not sure why you don't see the warning.
>
> In my testing however, I did notice something happening that should not
> be. I set the time in passwordexpirationtime to tomorrow, and the
> password policy is set to warn 14 days before the password expires. On
> my first login I get the message:
>
> Your LDAP password will expire in 14 days.
>
> Which is not correct, it should have said '1 day'. After this message
> is sent, my next login shows this:
>
> Your LDAP password will expire in 13 days.
>
> Which is still not correct. Looking at the entry at this point shows
> that it reset the passwordexpirationtime to something in the future
> (roughly looks like 14 days, which matches what I put in for warn days),
> which is also not something that should be done. passwordexpirationtime
> attribute should only be modified when the user actually
> modifies/changes their password.
>
> Not sure how to start helping with getting info to the right folks to
> help troubleshoot/fix this, but I am willing to help out as much as I
> can.
>
> I know this works in SunOne Directory Server 5.2 with RHEL3/4 and
> Solaris 8/9 clients so I am pretty certain this is not an issue on the
> client end (although I have been know to be wrong on occasion 8-).
>
> Jamie
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------
More information about the Fedora-directory-users
mailing list