dirsrv, SSH and forcing password change at first login

Joe Friedeggs friedeggs44 at hotmail.com
Thu Sep 29 20:29:37 UTC 2011


Out of curiosity, is it working with md5?

In /etc/ldap.conf:
pam_password md5
pam_lookup_policy yes
 
Thanks,
Joe

Date: Thu, 29 Sep 2011 15:54:01 +0200
Subject: Re: dirsrv, SSH and forcing password change at first login
From: claudio.di.nardo at gmail.com
To: pam-list at redhat.com

Hi all, (and hi Joe :P),

I finally got it working! 
Setting password policy on a subtree or on a particular user is not enough to make it active: you have to enable that even on cn=config of your LDAP tree.
In particular, in my configuration I have set those parameters on cn=config


----------------------------------------------------------
passwordCheckSyntax: on
passwordExp: on
passwordInHistory: 10
passwordisglobalpolicy: off
passwordLockout: on
passwordStorageScheme: SHA512

passwordMustChange: on
----------------------------------------------------------

Then, I leave to each "per sub-tree" or "per user" setting the duty to set all others in-deep policies, (e.g.: min password length 8 chars, min alpha chars, min digits, min caps...), which are requested.

Plus, I updated the nss_ldap package to the latest release: apparently, in fact, RHEL 5.4 default package of nss_ldap suffers of a bug in passwords expiring, as explained here - http://rhn.redhat.com/errata/RHBA-2011-0097.html.

Now I got correctly those messages

user at ldap-client:[/root]# ssh ldap-user at ldap-client
Password: 
Your LDAP password will expire in 1 hour.
Last login: Thu Sep 29 15:21:58 2011 from xxx.xxx.xxx.xxx


Remote kickstart on 2011-03-07

ldap-user at ldap-client:[/home/ldap-user]#

as well as

user at ldap-client:[/root]# ssh  ldap-user at ldap-client
Password: 
You are required to change your LDAP password immediately.

Enter login(LDAP) password:

Hope this could be useful for others.
Cheers! :)

Claudio


_______________________________________________
Pam-list mailing list
Pam-list at redhat.com
https://www.redhat.com/mailman/listinfo/pam-list 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20110929/c8b415fa/attachment.htm>


More information about the Pam-list mailing list