I believe when you set that feature on the directory server, what
actually happens is that the first time a user binds to the directory, a
v3 control/message is sent back to the client (in this case, pam_ldap)
saying effectively that the password must be changed. BTW - how would
pam_ldap force the user to change their password - can it do it itself,
or would it require the user to log in and run passwd or something? It
may not be possible.
If the client is binding as a v2 client, or doesn't know how to
interpret these v3 messages, it will be ignored. Many protocols _can't_
make use of this, because they have no mechanism for changing passwords
(i.e. POP, IMAP, SMTP, HTTP, etc are ones that come to mind). I don't
use this feature because the danger is that if the first thing a user
logs into is via one of these protocols, and this message is ignored,
the result of not changing their password takes effect (what does FDS
do, btw? Prevent the account from binding again, effectively locking
the user out? Does it allow some number of binds before it takes
effect? I can't remember cause I never use it :) )
If I'm wrong, I'm sure someone will correct me :)
- Jeff
Jeff Falgout wrote:
Has anyone been able to get pam_ldap to honor the password policy set in
fedora-ds?
I've tried RHEL3 and RHEL4 clients, and both just ignore settings such as
"User must change password after reset". Is it a misconfiguration on my
part, or is that the appropriate behavior of pam_ldap.
Thanks
Jeff
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
