Fedora directory users - Jun 2005 - pam_ldap and password policy

Has anyone been able to get pam_ldap to honor the password policy set in
fedora-ds?

I''ve tried RHEL3 and RHEL4 clients, and both just ignore settings such
as
"User must change password after reset". Is it a misconfiguration on
my
part, or is that the appropriate behavior of pam_ldap.

Thanks
Jeff

I believe when you set that feature on the directory server, what 
actually happens is that the first time a user binds to the directory, a 
v3 control/message is sent back to the client (in this case, pam_ldap) 
saying effectively that the password must be changed.  BTW - how would 
pam_ldap force the user to change their password - can it do it itself, 
or would it require the user to log in and run passwd or something?  It 
may not be possible.

If the client is binding as a v2 client, or doesn''t know how to 
interpret these v3 messages, it will be ignored.  Many protocols
_can''t_
make use of this, because they have no mechanism for changing passwords 
(i.e. POP, IMAP, SMTP, HTTP, etc are ones that come to mind).  I don''t 
use this feature because the danger is that if the first thing a user 
logs into is via one of these protocols, and this message is ignored, 
the result of not changing their password takes effect (what does FDS 
do, btw?  Prevent the account from binding again, effectively locking 
the user out?  Does it allow some number of binds before it takes 
effect? I can''t remember cause I never use it :)  )

If I''m wrong, I''m sure someone will correct me :)

 - Jeff

Jeff Falgout wrote:
>Has anyone been able to get pam_ldap to honor the password policy set in
>fedora-ds?
>
>I''ve tried RHEL3 and RHEL4 clients, and both just ignore settings
such as
>"User must change password after reset". Is it a misconfiguration
on my
>part, or is that the appropriate behavior of pam_ldap.
>
>Thanks
>Jeff
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com 
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf 
> Of jclowser@unitedmessaging.com
> Sent: Tuesday, June 14, 2005 11:26 AM
> To: General discussion list for the Fedora Directory server project.
> Subject: Re: [Fedora-directory-users] pam_ldap and password policy
> changed.  BTW - how would pam_ldap force the user to change 
> their password - can it do it itself, or would it require the 
> user to log in and run passwd or something?  It may not be possible.
> 
PAM has the necessary protocol for password changes during logon - in fact
PAM gets called by passwd.  However, I do not know off hand whether pam_ldap
implements those functions.
> effect (what does FDS do, btw?  Prevent the account from 
> binding again, effectively locking the user out?  Does it 
> allow some number of binds before it takes effect? I can''t 
> remember cause I never use it :)  )
I believe it begins nagging some time before it takes action.

Pete Rowley said:
>
>
>> -----Original Message-----
>> From: fedora-directory-users-bounces@redhat.com
>> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf
>> Of jclowser@unitedmessaging.com
>> Sent: Tuesday, June 14, 2005 11:26 AM
>> To: General discussion list for the Fedora Directory server project.
>> Subject: Re: [Fedora-directory-users] pam_ldap and password policy
>> changed.  BTW - how would pam_ldap force the user to change
>> their password - can it do it itself, or would it require the
>> user to log in and run passwd or something?  It may not be possible.
>>
>
> PAM has the necessary protocol for password changes during logon - in fact
> PAM gets called by passwd.  However, I do not know off hand whether
> pam_ldap
> implements those functions.
>
It seems that pam_ldap is checking the password policy -

I''ve looked at ldap.conf so many times, I''ve overlooked this
setting:

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
pam_lookup_policy yes

Now, when i login to the terminal after a password reset, the login
succeeds, but a messages flashes on the screen - something about password
after reset - and I''m taken back to the login prompt.

Any ideas?

> -----Original Message-----
> From: fedora-directory-users-bounces@redhat.com 
> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf 
> Of Jeff Falgout
> Sent: Tuesday, June 14, 2005 12:45 PM
> To: General discussion list for the Fedora Directory server project.
> Subject: RE: [Fedora-directory-users] pam_ldap and password policy
> 
> Pete Rowley said:
> >
> >
> >> -----Original Message-----
> >> From: fedora-directory-users-bounces@redhat.com
> >> [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of 
> >> jclowser@unitedmessaging.com
> >> Sent: Tuesday, June 14, 2005 11:26 AM
> >> To: General discussion list for the Fedora Directory 
> server project.
> >> Subject: Re: [Fedora-directory-users] pam_ldap and password policy
> >> changed.  BTW - how would pam_ldap force the user to change their 
> >> password - can it do it itself, or would it require the 
> user to log 
> >> in and run passwd or something?  It may not be possible.
> >>
> >
> > PAM has the necessary protocol for password changes during 
> logon - in 
> > fact PAM gets called by passwd.  However, I do not know off hand 
> > whether pam_ldap implements those functions.
> >
> 
> It seems that pam_ldap is checking the password policy -
> 
> I''ve looked at ldap.conf so many times, I''ve overlooked
this setting:
> 
> # Search the root DSE for the password policy (works # with 
> Netscape Directory Server) pam_lookup_policy yes
> 
> Now, when i login to the terminal after a password reset, the 
> login succeeds, but a messages flashes on the screen - 
> something about password after reset - and I''m taken back to 
> the login prompt.
> 
> Any ideas?
Sounds like pam_ldap doesn''t implement this properly - it should be
prompting you like passwd had been executed.  I''ll dig out that source
code
when I get a minute or two.

>>
>> Now, when i login to the terminal after a password reset, the
>> login succeeds, but a messages flashes on the screen -
>> something about password after reset - and I''m taken back to
>> the login prompt.
>>
>> Any ideas?
>
> Sounds like pam_ldap doesn''t implement this properly - it should
be
> prompting you like passwd had been executed.  I''ll dig out that
source
> code
> when I get a minute or two.
>
>
Is this something I should submit to Bugzilla?

Thanks.

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Jeff,<br>
<br>
I have been able to get this to work with pam_ldap.&nbsp; In fact, it works
regardless of the pam_lookup_policy setting.&nbsp; One thing that may be
throwing you is how you are resetting the password.&nbsp; According to the
docs, only a password reset by the Directory Manager will force the
user to change their password on the next bind attempt/login.<br>
<br>
So before you wrack your brain over your pam/ldap configuration on the
client, try logging in to the admin web interface and change the users
password as the Directory Manager.&nbsp; Then reauthenticate on the web
interface as that user and see if it tells you that you need to change
your password.&nbsp; If it doesn''t prompt you to change your
password, then
there is something wrong with your password policy configuration, not
pam_ldap.<br>
<br>
Brian<br>
<br>
Jeff Falgout wrote:
<blockquote
 cite="mid21777.206.247.49.3.1118844549.squirrel@www.ogov.net"
 type="cite">
  <blockquote type="cite">
    <blockquote type="cite">
      <pre wrap="">Now, when i login to the terminal after a
password reset, the
login succeeds, but a messages flashes on the screen -
something about password after reset - and I''m taken back to
the login prompt.

Any ideas?
      </pre>
    </blockquote>
    <pre wrap="">Sounds like pam_ldap doesn''t implement
this properly - it should be
prompting you like passwd had been executed.  I''ll dig out that source
code
when I get a minute or two.


    </pre>
  </blockquote>
  <pre wrap=""><!---->
Is this something I should submit to Bugzilla?

Thanks.


--
Fedora-directory-users mailing list
<a class="moz-txt-link-abbreviated"
href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a>
<a class="moz-txt-link-freetext"
href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a>
  </pre>
</blockquote>
</body>
</html>

Brian Peters said:
> Jeff,<br>
> <br>
> I have been able to get this to work with pam_ldap.&nbsp; In fact, it
> works
> regardless of the pam_lookup_policy setting.&nbsp; One thing that may
be
> throwing you is how you are resetting the password.&nbsp; According to
the
> docs, only a password reset by the Directory Manager will force the
> user to change their password on the next bind attempt/login.<br>
> <br>
> So before you wrack your brain over your pam/ldap configuration on the
> client, try logging in to the admin web interface and change the users
> password as the Directory Manager.&nbsp; Then reauthenticate on the web
> interface as that user and see if it tells you that you need to change
> your password.&nbsp; If it doesn''t prompt you to change your
password,
> then
> there is something wrong with your password policy configuration, not
> pam_ldap.<br>
> <br>
> Brian<br>
> <br>
Thanks Brian -

I didn''t think to check the web interface - the password changed IS
forced
after a reset when authenticating to the admin web interface.

I rechecked the RHEL 3 and 4 boxen - the RHEL 3 box DOES enforce the
password change correctly, but only on the terminal login, not sshd. RHEL
4 doesn''t work for login or sshd.

Jeff Falgout said:
> Brian Peters said:
>> Jeff,<br>
>> <br>
>> I have been able to get this to work with pam_ldap.&nbsp; In fact,
it
>> works
>> regardless of the pam_lookup_policy setting.&nbsp; One thing that
may be
>> throwing you is how you are resetting the password.&nbsp; According
to
>> the
>> docs, only a password reset by the Directory Manager will force the
>> user to change their password on the next bind attempt/login.<br>
>> <br>
>> So before you wrack your brain over your pam/ldap configuration on the
>> client, try logging in to the admin web interface and change the users
>> password as the Directory Manager.&nbsp; Then reauthenticate on the
web
>> interface as that user and see if it tells you that you need to change
>> your password.&nbsp; If it doesn''t prompt you to change
your password,
>> then
>> there is something wrong with your password policy configuration, not
>> pam_ldap.<br>
>> <br>
>> Brian<br>
>> <br>
>
> Thanks Brian -
>
> I didn''t think to check the web interface - the password changed
IS forced
> after a reset when authenticating to the admin web interface.
>
> I rechecked the RHEL 3 and 4 boxen - the RHEL 3 box DOES enforce the
> password change correctly, but only on the terminal login, not sshd. RHEL
> 4 doesn''t work for login or sshd.
>
I updated to the latest openssh and pam on both the RHEL3 and RHEL4 boxes
- sshd and login now both prompt for a password change on the RHEL3 boxes,
but RHEL4 is still broken.

Baby steps . . .

>I updated to the latest openssh and pam on both the RHEL3 and RHEL4 boxes
>- sshd and login now both prompt for a password change on the RHEL3 boxes,
>but RHEL4 is still broken.
If there''s a bug in pam_ldap, please submit to bugzilla.padl.com.

-- Luke

--