Fedora directory users - Dec 2005 - ShadowPassword / ShadowExpire

Hello List,

Being in the midst of evaluating and hopefully migrating to FDS soon.  I 
have stumbled onto a odd problem.

My user information is kept in the People container.  We have been using 
shadowExpire / shadowLastChange fields.

This all seems to work except when a user''s account is ready to expire 
and is prompted to change their password.  Using passwd, the user can 
change the password, but the system continues to prompt for a new 
password upon each successive login.

Looking at the data, the shadowExpire / LastChange never get updated.  I 
am also not seeing any errors being generated in the logs.  I can 
manually update those fields and the problem goes away.  But I guess I 
thought passwd / nss_ldap / pam would update those fields as needed.

Looking in the docs, all I see is configuring a password policy.  But 
that seems to be directed at users actually connecting to the directory 
via console / ldapsearch, etc....

Initially I thought I was having some ACI issues but I am really not 
sure.  It could be that I need to drop the shadow stuff and configure 
the password policy?

Advice or suggestions on what I am missing or where I have gone wrong?


TIA
-- 
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------

Jeff Medcalf wrote:
> Jim,
> 
> I haven''t tried this on FDS, but given that it has the same base
as
> SunONE and the old iPlanet, I would assume it works the same as those  
> directory servers.  In that case, and assuming that you are using  
> pam_ldap, go ahead and use the password policy: pam_ldap knows about  it 
> and works correctly with it.
I am a little confused on what is actually being used.  I see the 
following entries in machines here:
========================================Dec 19 09:34:22 XXXXXX sshd[14463]: PAM
rejected by account
configuration[13]: User account has expired
Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnecting to LDAP server...
Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnected to LDAP server 
after 1 attempt(s)
========================================
So I am not sure as to whether pam_ldap or nss_ldap is in use.  I guess 
they could be one in the same?

and system-auth has:
=====================================auth        required     
/lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
=====================================
So I would think it is pam_ldap.

I am going to double-check the pam config to make sure it is still 
following recommendations.
> 
> Oh, and if you are using the pam_ldap that comes with Solaris, you  
> might try switching to the open source version: the Sun version is  
> terribly buggy and horrible.
Will do.  The majority are linux clients.
> 
> On Dec 16, 2005, at 3:06 PM, Jim Summers wrote:
> 
>> Hello List,
>>
>> Being in the midst of evaluating and hopefully migrating to FDS  
>> soon.  I have stumbled onto a odd problem.
>>
>> My user information is kept in the People container.  We have been  
>> using shadowExpire / shadowLastChange fields.
>>
>> This all seems to work except when a user''s account is ready
to
>> expire and is prompted to change their password.  Using passwd, the  
>> user can change the password, but the system continues to prompt  for 
>> a new password upon each successive login.
>>
>> Looking at the data, the shadowExpire / LastChange never get  
>> updated.  I am also not seeing any errors being generated in the  
>> logs.  I can manually update those fields and the problem goes  away.  
>> But I guess I thought passwd / nss_ldap / pam would update  those 
>> fields as needed.
>>
>> Looking in the docs, all I see is configuring a password policy.   But 
>> that seems to be directed at users actually connecting to the  
>> directory via console / ldapsearch, etc....
>>
>> Initially I thought I was having some ACI issues but I am really  not 
>> sure.  It could be that I need to drop the shadow stuff and  configure 
>> the password policy?
>>
>> Advice or suggestions on what I am missing or where I have gone wrong?
>>
>>
>> TIA
>> -- 
>> Jim Summers
>> School of Computer Science-University of Oklahoma
>> -------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
> 
> 
> -- 
> Jeff Medcalf
> jeff@caerdroia.org
> 
> 
-- 
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------

I am pretty sure I found the solution here:

http://directory.fedora.redhat.com/wiki/Howto:PAM

Towards the bottom it mentions a couple of ldap.conf entries that are 
necessary along with activating the pw policy.

Will post if any oddness is discovered.

Thanks!
--jim


Jim Summers wrote:
> 
> 
> Jeff Medcalf wrote:
> 
>> Jim,
>>
>> I haven''t tried this on FDS, but given that it has the same
base as
>> SunONE and the old iPlanet, I would assume it works the same as those  
>> directory servers.  In that case, and assuming that you are using  
>> pam_ldap, go ahead and use the password policy: pam_ldap knows about  
>> it and works correctly with it.
> 
> 
> I am a little confused on what is actually being used.  I see the 
> following entries in machines here:
> ========================================> Dec 19 09:34:22 XXXXXX
sshd[14463]: PAM rejected by account
> configuration[13]: User account has expired
> Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnecting to LDAP 
> server...
> Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnected to LDAP server 
> after 1 attempt(s)
> ========================================> 
> So I am not sure as to whether pam_ldap or nss_ldap is in use.  I guess 
> they could be one in the same?
> 
> and system-auth has:
> =====================================> auth        required     
/lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
> =====================================> 
> So I would think it is pam_ldap.
> 
> I am going to double-check the pam config to make sure it is still 
> following recommendations.
> 
>>
>> Oh, and if you are using the pam_ldap that comes with Solaris, you  
>> might try switching to the open source version: the Sun version is  
>> terribly buggy and horrible.
> 
> 
> Will do.  The majority are linux clients.
> 
>>
>> On Dec 16, 2005, at 3:06 PM, Jim Summers wrote:
>>
>>> Hello List,
>>>
>>> Being in the midst of evaluating and hopefully migrating to FDS  
>>> soon.  I have stumbled onto a odd problem.
>>>
>>> My user information is kept in the People container.  We have been
>>> using shadowExpire / shadowLastChange fields.
>>>
>>> This all seems to work except when a user''s account is
ready to
>>> expire and is prompted to change their password.  Using passwd, the
>>> user can change the password, but the system continues to prompt 
for
>>> a new password upon each successive login.
>>>
>>> Looking at the data, the shadowExpire / LastChange never get  
>>> updated.  I am also not seeing any errors being generated in the  
>>> logs.  I can manually update those fields and the problem goes  
>>> away.  But I guess I thought passwd / nss_ldap / pam would update  
>>> those fields as needed.
>>>
>>> Looking in the docs, all I see is configuring a password policy.   
>>> But that seems to be directed at users actually connecting to the  
>>> directory via console / ldapsearch, etc....
>>>
>>> Initially I thought I was having some ACI issues but I am really 
not
>>> sure.  It could be that I need to drop the shadow stuff and  
>>> configure the password policy?
>>>
>>> Advice or suggestions on what I am missing or where I have gone
wrong?
>>>
>>>
>>> TIA
>>> -- 
>>> Jim Summers
>>> School of Computer Science-University of Oklahoma
>>> -------------------------------------------------
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>
>> -- 
>> Jeff Medcalf
>> jeff@caerdroia.org
>>
>>
> 
-- 
Jim Summers
School of Computer Science-University of Oklahoma
-------------------------------------------------