Re: Managing user password policy problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I found more information today.

Frist -

I found https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-usability.html, so I have added aci to the oid. 

dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
changetype: modify
add: aci
aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; allow (read, search, compare, proxy)(groupdn = "ldap:///cn=groupname,ou=group,dc=christianbook,dc=com";);)

Next -

I can set my password from 389 console. Once it's set, the passwordexpiration becomes '1970...', which means it is expired.

Then if I do bind using myself from client:

ldapsearch -x -Z  -D "uid=xinhuan,ou=people,dc=christianbook,dc=com"  -W - -b 'dc=christianbook,dc=com'  pwdpolicysubentry

Below is the response:

# search result
search: 3
result: 53 Server is unwilling to perform
control: 2.16.840.1.113730.3.4.4 false MA==

It appears ldapsearch sees my password has expired so server unwilling to respond. However, I can proceed login using ssh, despite the /var/log/secure message as mentioned before:

Jun 15 12:11:48 dclientdev1 sshd[7894]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=xinhuan
Jun 15 12:11:48 dclientdev1 sshd[7894]: pam_sss(sshd:auth): received for user xinhuan: 12 (Authentication token is no longer valid; new one required)  <---- pam_sss(sshd:auth) got password invalid response from directory server already
Jun 15 12:11:48 dclientdev1 sshd[7894]: Accepted password for xinhuan from ::1 port 41588 ssh2 <---- proceed login

Next -

I change passwordMaxAge to 1 in policy. Once I login, I use 'passwd' command to change my password:

$ passwd
Changing password for user xinhuan.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Since the passwordMaxAge is set to 1, the next time when I login, I got prompt:

Your password has expired. You have 2 grace login(s) remaining.

below is from /var/log/secure:

Jun 15 12:28:07 dclientdev1 sshd[8000]: pam_sss(sshd:auth): User info message: Your password has expired. You have 2 grace login(s) remaining.
Jun 15 12:28:07 dclientdev1 sshd[8000]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=xinhuan

After consuming all grace login(s), I am able to login using the expired password. Still /var/log/secure will show up it's expired password but I can login.
--
389-users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux