[Fedora-directory-users] Some password policy enforcement information questions

Richard Megginson rmeggins at redhat.com
Mon Feb 20 15:07:44 UTC 2006 

Bliss, Aaron wrote:

>Some more trouble with password expiration warnings; I have passwords
>warnings being displayed to users when they use passwords, however users
>configured to use key authentication
>
Do you mean ssh?

>do not receive this warnings; has
>anyone seen this before?  This is of course going to be a very big
>problem for me.  Any ideas?  Thanks again.
>  
>
>Aaron 
>
>-----Original Message-----
>From: Bliss, Aaron 
>Sent: Wednesday, January 25, 2006 7:48 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: RE: [Fedora-directory-users] Some password policy enforcement
>information questions
>
>Turns out the issue I was having was with my clients; I'm not sure why,
>but the administrator before me had "UseLogin Yes" set in
>/etc/ssh/sshd_config; commenting this out immediately started generating
>password warnings to users (as configured by the directory server); does
>anyone know what the UseLogin option is used for?  Thanks.
>
>Aaron 
>
>-----Original Message-----
>From: Bliss, Aaron
>Sent: Thursday, January 19, 2006 3:15 PM
>To: 'General discussion list for the Fedora Directory server project.'
>Subject: RE: [Fedora-directory-users] Some password policy enforcement
>information questions
>
>Thanks very much for the explanation; makes much sense to me now; I did
>some playing around, and got the directory server to spit out to me that
>your password is going to expire in x amount of days.  Thanks again.
>
>Aaron 
>
>-----Original Message-----
>From: fedora-directory-users-bounces at redhat.com
>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard
>Megginson
>Sent: Thursday, January 19, 2006 2:35 PM
>To: General discussion list for the Fedora Directory server project.
>Subject: Re: [Fedora-directory-users] Some password policy enforcement
>information questions
>
>It looks like the way it works is this:
>When you have enabled password warning, an operational attribute called
>"passwordExpWarned" is created in the user's entry.  The value will be 0
>until the user does a successful BIND operation and the time between now
>and the configured password expiration time is less than or equal to the
>configured password warning time.  When this happens, the warning will
>be sent, the value of passwordExpWarned will be changed to 1, and the
>operational attribute passwordExpirationTime in the user's entry will be
>set to the time at which the password will expire.  When the user
>changes the password, passwordExpWarned will be reset to 0 and
>passwordExpirationTime will be set to the new expiration time.
>
>Bliss, Aaron wrote:
>
>  
>
>>If I've configured a correct password policy and the warning attribute 
>>is not getting updated, should this be considered a bug?
>>
>>Aaron
>>
>>-----Original Message-----
>>From: fedora-directory-users-bounces at redhat.com
>>[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Richard
>>    
>>
>
>  
>
>>Megginson
>>Sent: Thursday, January 19, 2006 1:48 PM
>>To: General discussion list for the Fedora Directory server project.
>>Subject: Re: [Fedora-directory-users] Some password policy enforcement 
>>information questions
>>
>>Bliss, Aaron wrote:
>>
>> 
>>
>>    
>>
>>>Please forgive me if I'm asking silly newbie questions, however I'm 
>>>trying to understand exactly what I'm seeing thru fds; first the 
>>>policy
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>I've configured on the directory using the fds console:
>>>I've enabled fine-grain password policy for the data unit, including 
>>>password history enforcement, password expiration after 90 days, 
>>>password warning 14 days before password expires, check password 
>>>syntax, account lockout policy enabled after 3 login failures for 120 
>>>minutes and reset failure count after 15 minutes.
>>>
>>>Everything seems to be working except for send password warning; in
>>>      
>>>
>the
>  
>
>>>client's ldap.conf file, I've enabled pam_lookup_policy yes.   
>>>
>>>Looking at account information attributes for a user, passwordexpwarnd
>>>      
>>>
>
>  
>
>>>value is 0; I've reset users password to try to initialize the 
>>>password
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>policy, however this value never seems to change.  According to this 
>>>documentation
>>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107
>>>7
>>>0
>>>81 I believe that this attribute is stored in seconds.  Is this true?
>>>
>>>
>>>   
>>>
>>>      
>>>
>>Yes.
>>
>> 
>>
>>    
>>
>>>If so, what can I do to ensure this attribute is getting updated 
>>>(assuming that this is the attribute responsible for triggering 
>>>password expiration warning).
>>>
>>>
>>>   
>>>
>>>      
>>>
>>I'm not really sure.
>>
>> 
>>
>>    
>>
>>>Second issue/question:
>>>I've looked at this wiki
>>>http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very 
>>>bottom it mentions adding the following
>>>
>>>dn: cn=config
>>>changetype: modify
>>>add: passwordExp
>>>passwordExp: on
>>>-
>>>add: passwordMaxAge
>>>passwordMaxAge: 8640000 (this I believe would give a password max age 
>>>of 100 days)
>>>
>>>Do I need to add these attributes even though I've configured the 
>>>password policy using fds console has done this for me.  Is this the 
>>>case, I see don't these attributes in the gui, however I do see 
>>>passwordexpirationtime as an attribute and is set to 90 days from now 
>>>(I'm want to ensure that accounts are indeed locked after passwords 
>>>have expired).
>>>
>>>
>>>   
>>>
>>>      
>>>
>>Those attributes are only for global (default) password policy - what 
>>you have set for fine grained password policy will override those.
>>
>> 
>>
>>    
>>
>>>Also, Jim Summers posted to this group that he saw an issue with 
>>>shadowpasswd / shadowexpire fields not being updated 
>>>https://www.redhat.com/archives/fedora-directory-users/2005-December/m
>>>s
>>>g
>>>00367.html
>>>
>>>Can anyone tell me what these fields are used for, as I don't see any 
>>>mention of them in this documentation
>>>http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#107
>>>7
>>>0
>>>81
>>>
>>>
>>>   
>>>
>>>      
>>>
>>Right.  They are a PAM/posix thing - FDS treats them as any other data
>>- it doesn't update them from it's own password policy.
>>
>> 
>>
>>    
>>
>>>Thanks again very much.
>>>
>>>Aaron
>>>
>>>
>>>
>>>
>>>www.preferredcare.org
>>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. 
>>>Power and Associates
>>>
>>>Confidentiality Notice:
>>>The information contained in this electronic message is intended for
>>>   
>>>
>>>      
>>>
>>the exclusive use of the individual or entity named above and may 
>>contain privileged or confidential information.  If the reader of this 
>>message is not the intended recipient or the employee or agent 
>>responsible to deliver it to the intended recipient, you are hereby 
>>notified that dissemination, distribution or copying of this 
>>information is prohibited.  If you have received this communication in 
>>error, please notify the sender immediately by telephone and destroy 
>>the copies you received.
>> 
>>
>>    
>>
>>>--
>>>Fedora-directory-users mailing list
>>>Fedora-directory-users at redhat.com
>>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>
>>>   
>>>
>>>      
>>>
>>www.preferredcare.org
>>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. 
>>Power and Associates
>>
>>Confidentiality Notice:
>>The information contained in this electronic message is intended for
>>    
>>
>the exclusive use of the individual or entity named above and may
>contain privileged or confidential information.  If the reader of this
>message is not the intended recipient or the employee or agent
>responsible to deliver it to the intended recipient, you are hereby
>notified that dissemination, distribution or copying of this information
>is prohibited.  If you have received this communication in error, please
>notify the sender immediately by telephone and destroy the copies you
>received.
>  
>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users at redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>> 
>>
>>    
>>
>
>
>www.preferredcare.org
>"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates
>
>Confidentiality Notice:
>The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information.  If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited.  If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.
>
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060220/1d09f594/attachment.bin>

More information about the Fedora-directory-users mailing list