Bliss, Aaron wrote:
Please forgive me if I'm asking silly newbie questions, however I'm trying to understand exactly what I'm seeing thru fds; first the policy I've configured on the directory using the fds console: I've enabled fine-grain password policy for the data unit, including password history enforcement, password expiration after 90 days, password warning 14 days before password expires, check password syntax, account lockout policy enabled after 3 login failures for 120 minutes and reset failure count after 15 minutes. Everything seems to be working except for send password warning; in theclient's ldap.conf file, I've enabled pam_lookup_policy yes.Looking at account information attributes for a user, passwordexpwarnd value is 0; I've reset users password to try to initialize the password policy, however this value never seems to change. According to this documentation http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10770 81 I believe that this attribute is stored in seconds. Is this true?
Yes.
If so, what can I do to ensure this attribute is getting updated (assuming that this is the attribute responsible for triggering password expiration warning).
I'm not really sure.
Those attributes are only for global (default) password policy - what you have set for fine grained password policy will override those.Second issue/question: I've looked at this wiki http://directory.fedora.redhat.com/wiki/Howto:PAM and near the very bottom it mentions adding the following dn: cn=config changetype: modify add: passwordExp passwordExp: on - add: passwordMaxAge passwordMaxAge: 8640000 (this I believe would give a password max age of 100 days) Do I need to add these attributes even though I've configured the password policy using fds console has done this for me. Is this the case, I see don't these attributes in the gui, however I do see passwordexpirationtime as an attribute and is set to 90 days from now (I'm want to ensure that accounts are indeed locked after passwords haveexpired).
Right. They are a PAM/posix thing - FDS treats them as any other data - it doesn't update them from it's own password policy.Also, Jim Summers posted to this group that he saw an issue with shadowpasswd / shadowexpire fields not being updated https://www.redhat.com/archives/fedora-directory-users/2005-December/msg 00367.html Can anyone tell me what these fields are used for, as I don't see any mention of them in this documentation http://www.redhat.com/docs/manuals/dir-server/ag/7.1/password.html#10770 81
Thanks again very much. Aaronwww.preferredcare.org "An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates Confidentiality Notice: The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information. If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited. If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received. -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
