Re: [389-users] sshd/pam_ldap not honoring passwordMustChange

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

passwordExpirationTime might be the root of the problem.

1) Set the user's password in the Console via right-click and
"Properties." Click "Okay."

2) Open Advanced Properties and note that passwordExpirationTime is
19700101000001Z.

3) Log in as the test user with the reset password. The login is
successful, and no password change is required.

4) Return to Advanced Properties, and change passwordExpirationTime to
19700101000000Z without out changing the password in Step 1.

5) Log in as the test user with the reset password from step 1. Be forced
through the password change process. Note that the session terminates
after a good, new password is set.

6) Return to Advanced Properties and note that passwordExpirationTime is
19700101000001Z, again.

I'm not sure if I've missed some aspect of resetting a password from the
console, or if RHDS has a bug in failing to modify passwordExpirationTime
when the password is changed, or if this is something else entirely.

Thanks!
David


On Wed, June 15, 2011 10:21, Aaron Hagopian wrote:
> I have not seen or used the passwordMustChange attribute before but I can
> tell you that if you set the passwordExpirationTime as following:
>
> passwordExpirationTime: 19700101000000Z
>
>
> It should force the user to change their password on their next login.
> Keep
> in mind you will not get a prompt if use use a passwordless ssh login via
> rsa key exchange.
>
> Hope that helps.
>
> Thanks,
> Aaron
>
>
> On Tue, Jun 14, 2011 at 5:03 PM, David Barr <dafydd@xxxxxxxxxx> wrote:
>
>> I know this is outside the scope of the 389 list, but my Google-fu is
>> failing me on this one.
>>
>> If I change the password to the account on the LDAP server and verify
>> "passwordmustchange: on," I can ssh in to the test host with the new
>> password all day long, and never get asked to change it.
>>
>> I'm hoping someone has seen a document recently that they could link to.
>> I've seen the "PAM Configuration for LDAP Client Systems" page on the
>> wiki. That deals more with setting password expiration, though.
>>
>> Thanks!
>> David

-- 
David - Offbeat                http://dafydd.livejournal.com
dafydd - Online                http://pgp.mit.edu/
Battalion 4 - Black Rock City Emergency Services Department
       Integrity*Commitment*Communication*Support


--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux