[Fedora-directory-users] Password history is not being enforced by the directory server

Bliss, Aaron ABliss at preferredcare.org
Thu Jan 19 16:07:02 UTC 2006 

Sorry I forgot to include, but I have pam_lookup_policy yes already set
in ldap.conf.

Aaron  

-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Jonathan
Barber
Sent: Thursday, January 19, 2006 11:04 AM
To: General discussion list for the Fedora Directory server project.
Subject: Re: [Fedora-directory-users] Password history is not being
enforced by the directory server

On Thu, Jan 19, 2006 at 11:01:26AM -0500, Bliss, Aaron wrote:
> It appears that this is an issue with the client; if I attempt change 
> a users password from within fds using a password that I've already 
> used for that user, I get a warning from fds indicating that it 
> violates password history rule.  However, using passwd from a client 
> allows usage of old passwords.

PDAL libnss_ldap has another option (present in 2.4.3 at least):
pam_lookup_policy yes

which may be what you need.

> 
> Aaron
> 
> -----Original Message-----
> From: fedora-directory-users-bounces at redhat.com
> [mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of 
> Richard Megginson
> Sent: Thursday, January 19, 2006 10:59 AM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] Password history is not being 
> enforced by the directory server
> 
> Bliss, Aaron wrote:
> 
> >I'm not sure why, but for some reason the directory servers are not 
> >enforcing password history policies.  I've set the policy from within

> >the fds console at the data level (as described in directory server 
> >documentation).
> >
> Did you set "Enable fine-grained password policy" under the 
> Configuration tab -> Data node -> Passwords tab?  Because the console 
> will allow you to configure the fine grained password policy under the

> Directory tab even if this is not set, but it will not take effect.
> 
> >Here is a sample ldap.conf file:
> >
> >pam_password exop
> >pam_password clear
> >pam_password md5
> >ssl start_tls
> >ssl on
> >
> >I'm running fds 1.0.1 on a redhat 4 box (actually have 2 directory 
> >servers, I've set this policy on both servers, supplier consumer 
> >replication is setup between them.
> >
> >I've verified that this is not enforced regardless if the client has 
> >ssl enabled or not.
> >
> Did you try ldapmodify from the command line to see if the problem is 
> with FDS or with PAM?  e.g.
> ldapmodify -D "uid=user,ou=people,dc=company,dc=com" -w 
> currentpassword
> dn: uid=user,ou=people,dc=company,dc=com
> changetype: modify
> replace: userPassword
> userPassword: passwordinhistory
> 
> >Please advise as this is a highly critical issue that I must get 
> >fixed in order to move this into production.  Thanks very much.
> >
> >Aaron
> >
> >www.preferredcare.org
> >"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D.

> >Power and Associates
> >
> >Confidentiality Notice:
> >The information contained in this electronic message is intended for
> the exclusive use of the individual or entity named above and may 
> contain privileged or confidential information.  If the reader of this

> message is not the intended recipient or the employee or agent 
> responsible to deliver it to the intended recipient, you are hereby 
> notified that dissemination, distribution or copying of this 
> information is prohibited.  If you have received this communication in

> error, please notify the sender immediately by telephone and destroy 
> the copies you received.
> >
> >
> >--
> >Fedora-directory-users mailing list
> >Fedora-directory-users at redhat.com
> >https://www.redhat.com/mailman/listinfo/fedora-directory-users
> >  
> >
> 
> 
> www.preferredcare.org
> "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. 
> Power and Associates
> 
> Confidentiality Notice:
> The information contained in this electronic message is intended for
the exclusive use of the individual or entity named above and may
contain privileged or confidential information.  If the reader of this
message is not the intended recipient or the employee or agent
responsible to deliver it to the intended recipient, you are hereby
notified that dissemination, distribution or copying of this information
is prohibited.  If you have received this communication in error, please
notify the sender immediately by telephone and destroy the copies you
received.
> 
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users

--
Jonathan Barber
High Performance Computing Analysis
Tel. +44 (0) 1382 86389

--
Fedora-directory-users mailing list
Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

More information about the Fedora-directory-users mailing list