Fedora directory users - Oct 2006 - Issue with fine-grained password policy

Hello all,

I set up FDS 1.0.2 on a server and got everything configured and
imported etc etc.. things
work great, I can authenticate against it, make updates.. but I can
not get our linux
clients to warn me about changing my password, expiration, length,
etc.. I followed the instructions on
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672
to set up a global config, and a user config. Is there anything on the
client side for PAM that needs to be configured? I''ve been pouring
over this for a couple of days now so I may just be blind to a small
detail I may have missed. Any help/insight would be appreciated.

Thanks in advance,
Ian

Ian Meyer wrote:
> Hello all,
> 
> I set up FDS 1.0.2 on a server and got everything configured and
> imported etc etc.. things
> work great, I can authenticate against it, make updates.. but I can
> not get our linux
> clients to warn me about changing my password, expiration, length,
> etc.. I followed the instructions on
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672
> to set up a global config, and a user config. Is there anything on the
> client side for PAM that needs to be configured? I''ve been pouring
> over this for a couple of days now so I may just be blind to a small
> detail I may have missed. Any help/insight would be appreciated.
This functionality (returning requested password policy response message 
in conjunction with password change extop) needs support from two sides, 
pam_ldap and slapd.

The functionality is missing from the current version of slapd, but 
should be available in the next version afaik.

I am unsure of pam_ldap''s support for password change extop or parsing 
password policy control response messages. Clearly, this is a piece of 
missing basic functionality, as a whole, that makes linux itself look 
incapable compared to windows.

--
mike

Last time I looked at this, I vaguely recall finding that pam_ldap 
doesn''t pay too much attention to FDS password metadata for expiration 
warnings or strength restrictions.  So what you''re seeing may be the
norm.
Hopefully someone else out there will have better news for you on this.


Ian Meyer wrote:
> Hello all,
>
> I set up FDS 1.0.2 on a server and got everything configured and
> imported etc etc.. things
> work great, I can authenticate against it, make updates.. but I can
> not get our linux
> clients to warn me about changing my password, expiration, length,
> etc.. I followed the instructions on
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672 
>
> to set up a global config, and a user config. Is there anything on the
> client side for PAM that needs to be configured? I''ve been pouring
> over this for a couple of days now so I may just be blind to a small
> detail I may have missed. Any help/insight would be appreciated.
>
> Thanks in advance,
> Ian
>
> -- 
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>

Hi,
you should try with this PAM option:

	pam_lookup_policy yes

Regards,

* Ian Meyer <ianmmeyer@gmail.com> [251006, 17:25]:
> Hello all,
> 
> I set up FDS 1.0.2 on a server and got everything configured and
> imported etc etc.. things
> work great, I can authenticate against it, make updates.. but I can
> not get our linux
> clients to warn me about changing my password, expiration, length,
> etc.. I followed the instructions on
> http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672
> to set up a global config, and a user config. Is there anything on the
> client side for PAM that needs to be configured? I''ve been pouring
> over this for a couple of days now so I may just be blind to a small
> detail I may have missed. Any help/insight would be appreciated.
-- 
Gennaro Tortone
INFN Napoli
Italy
tel: +39 81 676169

"Computer Science is no more about computers
    than astronomy is about telescopes."
        - Edsger Dijkstra

Ah I forgot to mention, I do have that in my ldap.conf, hence my
confusion as to why it wasn''t working. I''m not sure if
I''m maybe
missing something in the server config or what, but I followed the
directions in the url I mentioned in my first email, maybe they''re
outdated?

Thanks everyone for the help so far. It''s giving me a better grasp on
what I''m dealing with.

Ian

On 10/26/06, Gennaro Tortone <gennaro.tortone@na.infn.it>
wrote:
> Hi,
> you should try with this PAM option:
>
>         pam_lookup_policy yes
>
> Regards,
>
> * Ian Meyer <ianmmeyer@gmail.com> [251006, 17:25]:
> > Hello all,
> >
> > I set up FDS 1.0.2 on a server and got everything configured and
> > imported etc etc.. things
> > work great, I can authenticate against it, make updates.. but I can
> > not get our linux
> > clients to warn me about changing my password, expiration, length,
> > etc.. I followed the instructions on
> >
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#1074672
> > to set up a global config, and a user config. Is there anything on the
> > client side for PAM that needs to be configured? I''ve been
pouring
> > over this for a couple of days now so I may just be blind to a small
> > detail I may have missed. Any help/insight would be appreciated.
>
> --
> Gennaro Tortone
> INFN Napoli
> Italy
> tel: +39 81 676169
>
> "Computer Science is no more about computers
>     than astronomy is about telescopes."
>         - Edsger Dijkstra
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>