Victor Hugo dos Santos
2007-Sep-25 13:55 UTC
[Fedora-directory-users] posixaccount and shadowlastchange
Hello, Linux authentication based in FDS work fine, i log in the system for ssh and all users is in the FDS directory. cool !!! but, i need use police security account for users (for example, in 60 days this users need change the password or can''t use the same password 3 times consecutive). but the FDS dont work with shadow parameters, i run "getent passwd" and look all users (local and in FDS) but I run "getent shadow" and only show the local account, none account in the FDS. how is possible manage the security police from posixaccount and more important, that for users continue being one transparent process. URL ?? manual ?? docs ?? others ?? thanks -- -- Victor Hugo dos Santos Linux Counter #224399
Steve Rigler
2007-Sep-25 15:31 UTC
Re: [Fedora-directory-users] posixaccount and shadowlastchange
On Tue, 2007-09-25 at 09:55 -0400, Victor Hugo dos Santos wrote:> Hello, > > Linux authentication based in FDS work fine, i log in the system for > ssh and all users is in the FDS directory. cool !!! > > but, i need use police security account for users (for example, in 60 > days this users need change the password or can''t use the same > password 3 times consecutive). > > but the FDS dont work with shadow parameters, i run "getent passwd" > and look all users (local and in FDS) but I run "getent shadow" and > only show the local account, none account in the FDS. > > how is possible manage the security police from posixaccount and more > important, that for users continue being one transparent process. > > URL ?? manual ?? docs ?? others ?? > > thanks > > --Your accounts need to have the "shadowAccount" objectclass and "shadowLastChange" needs to be writable by ldap://self or by the dn that changes their password on their behalf (if you use "rootbinddn" in your pam ldap.conf). -Steve
Victor Hugo dos Santos
2007-Sep-25 16:08 UTC
Re: [Fedora-directory-users] posixaccount and shadowlastchange
2007/9/25, Steve Rigler <srigler@marathonoil.com>:> On Tue, 2007-09-25 at 09:55 -0400, Victor Hugo dos Santos wrote:[...]> Your accounts need to have the "shadowAccount" objectclass and > "shadowLastChange" needs to be writable by ldap://self or by the dn that > changes their password on their behalf (if you use "rootbinddn" in your > pam ldap.conf).mmm... in test don''t work.. debian2:/etc/ssl/certs# getent shadow | grep camador camador:*:13524::99999:7:::0 debian2:/etc/ssl/certs# passwd camador Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information changed for camador passwd: password updated successfully debian2:/etc/ssl/certs# getent shadow | grep camador camador:*:13524::99999:7:::0 how you can look.. the shadow info is the same, before y after the change of password. any other idea ?? thanks -- -- Victor Hugo dos Santos Linux Counter #224399
Steve Rigler
2007-Sep-25 17:21 UTC
Re: [Fedora-directory-users] posixaccount and shadowlastchange
On Tue, 2007-09-25 at 12:08 -0400, Victor Hugo dos Santos wrote:> 2007/9/25, Steve Rigler <srigler@marathonoil.com>: > > On Tue, 2007-09-25 at 09:55 -0400, Victor Hugo dos Santos wrote: > > [...] > > > Your accounts need to have the "shadowAccount" objectclass and > > "shadowLastChange" needs to be writable by ldap://self or by the dn that > > changes their password on their behalf (if you use "rootbinddn" in your > > pam ldap.conf). > > mmm... in test don''t work.. > > debian2:/etc/ssl/certs# getent shadow | grep camador > camador:*:13524::99999:7:::0 > > debian2:/etc/ssl/certs# passwd camador > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information changed for camador > passwd: password updated successfully > > debian2:/etc/ssl/certs# getent shadow | grep camador > camador:*:13524::99999:7:::0 > > how you can look.. the shadow info is the same, before y after the > change of password. > > any other idea ?? > > thanks >Did you add an aci to allow write access to "shadowLastChange"? -Steve
Victor Hugo dos Santos
2007-Sep-25 18:12 UTC
Re: [Fedora-directory-users] posixaccount and shadowlastchange
2007/9/25, Steve Rigler <srigler@marathonoil.com>:> On Tue, 2007-09-25 at 12:08 -0400, Victor Hugo dos Santos wrote: > > 2007/9/25, Steve Rigler <srigler@marathonoil.com>: > > > On Tue, 2007-09-25 at 09:55 -0400, Victor Hugo dos Santos wrote: > > > > [...] > > > > > Your accounts need to have the "shadowAccount" objectclass and > > > "shadowLastChange" needs to be writable by ldap://self or by the dn that > > > changes their password on their behalf (if you use "rootbinddn" in your > > > pam ldap.conf). > > > > mmm... in test don''t work.. > > > > debian2:/etc/ssl/certs# getent shadow | grep camador > > camador:*:13524::99999:7:::0 > > > > debian2:/etc/ssl/certs# passwd camador > > Enter login(LDAP) password: > > New UNIX password: > > Retype new UNIX password: > > LDAP password information changed for camador > > passwd: password updated successfully > > > > debian2:/etc/ssl/certs# getent shadow | grep camador > > camador:*:13524::99999:7:::0 > > > > how you can look.. the shadow info is the same, before y after the > > change of password. > > > > any other idea ?? > > > > thanks > > > > Did you add an aci to allow write access to "shadowLastChange"?ups... sorry. now work fine !!! any other recommendation for work with posixaccount and FDS and security ?? very, very thanks -- -- Victor Hugo dos Santos Linux Counter #224399