On Mon, 2008-12-01 at 13:36 -0500, Nalin Dahyabhai wrote: > On Fri, Nov 28, 2008 at 12:49:11AM -0500, John A. Sullivan III wrote: > > Hello, all. We're continuing to dive ever deeper into DS. Our thanks > > to the developers for such a powerful product. > > > > Our integration with the RedHat family has gone well but now we're > > working on Ubuntu. Most is working well but we are finding Ubuntu is > > not enforcing password policies. For example, we require a user to > > change their password after a reset. When a user logs into a RedHat > > system, they are prompted for the change. However, Ubuntu just lets > > them right in again and again with the same reset password. > > > > Any pointers on what to look for to fix this in our configuration before > > we scour the world for a solution? We've already done quite a bit of > > googling. > > > > We've tried enabling pam_lookup_policy but that didn't > > work. /etc/pam.d/common-password reads: > > > > password requisite pam_cracklib.so retry=3 minlen=8 difok=3 > > password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 > > password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass > > # here's the fallback if no module succeeds > > password requisite pam_deny.so > > > > # prime the stack with a positive return value if there isn't one already; > > # this avoids us returning an error just because nothing sets a success code > > # since the modules above will each just jump around > > password required pam_permit.so > > > > We've also tried disabling that last pam_permit.so. That didn't help. Where should we look? Thanks - John > > When using PAM, the calling application "knows" that the user's password > needs to be changed because the account management modules signal it, so > you'll want to check the "account" portions of the PAM configuration. > > Specifically, you want to ensure that pam_ldap.so is being used, and > that some other module isn't causing the account management function to > return a success code before pam_ldap.so gets a chance to check on the > user's account and return a password-needs-changing code. > > Just a guess, but going on what I get on my Fedora system, it might look > something like this: > > account required pam_unix.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [[default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > HTH, > > Nalin > > -- <snip> Thank you. That was it. It had autoconfigured with ldap first: account sufficient pam_ldap.so account required pam_unix.so -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
