I am pretty sure I found the solution here: http://directory.fedora.redhat.com/wiki/Howto:PAM Towards the bottom it mentions a couple of ldap.conf entries that are necessary along with activating the pw policy. Will post if any oddness is discovered. Thanks! --jim Jim Summers wrote: > > > Jeff Medcalf wrote: > >> Jim, >> >> I haven't tried this on FDS, but given that it has the same base as >> SunONE and the old iPlanet, I would assume it works the same as those >> directory servers. In that case, and assuming that you are using >> pam_ldap, go ahead and use the password policy: pam_ldap knows about >> it and works correctly with it. > > > I am a little confused on what is actually being used. I see the > following entries in machines here: > ========================================= > Dec 19 09:34:22 XXXXXX sshd[14463]: PAM rejected by account > configuration[13]: User account has expired > Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnecting to LDAP > server... > Dec 19 09:36:21 XXXXXX sshd[14515]: nss_ldap: reconnected to LDAP server > after 1 attempt(s) > ========================================= > > So I am not sure as to whether pam_ldap or nss_ldap is in use. I guess > they could be one in the same? > > and system-auth has: > ====================================== > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass > auth required /lib/security/$ISA/pam_deny.so > ====================================== > > So I would think it is pam_ldap. > > I am going to double-check the pam config to make sure it is still > following recommendations. > >> >> Oh, and if you are using the pam_ldap that comes with Solaris, you >> might try switching to the open source version: the Sun version is >> terribly buggy and horrible. > > > Will do. The majority are linux clients. > >> >> On Dec 16, 2005, at 3:06 PM, Jim Summers wrote: >> >>> Hello List, >>> >>> Being in the midst of evaluating and hopefully migrating to FDS >>> soon. I have stumbled onto a odd problem. >>> >>> My user information is kept in the People container. We have been >>> using shadowExpire / shadowLastChange fields. >>> >>> This all seems to work except when a user's account is ready to >>> expire and is prompted to change their password. Using passwd, the >>> user can change the password, but the system continues to prompt for >>> a new password upon each successive login. >>> >>> Looking at the data, the shadowExpire / LastChange never get >>> updated. I am also not seeing any errors being generated in the >>> logs. I can manually update those fields and the problem goes >>> away. But I guess I thought passwd / nss_ldap / pam would update >>> those fields as needed. >>> >>> Looking in the docs, all I see is configuring a password policy. >>> But that seems to be directed at users actually connecting to the >>> directory via console / ldapsearch, etc.... >>> >>> Initially I thought I was having some ACI issues but I am really not >>> sure. It could be that I need to drop the shadow stuff and >>> configure the password policy? >>> >>> Advice or suggestions on what I am missing or where I have gone wrong? >>> >>> >>> TIA >>> -- >>> Jim Summers >>> School of Computer Science-University of Oklahoma >>> ------------------------------------------------- >>> >>> -- >>> Fedora-directory-users mailing list >>> Fedora-directory-users at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >> -- >> Jeff Medcalf >> jeff at caerdroia.org >> >> > -- Jim Summers School of Computer Science-University of Oklahoma -------------------------------------------------
