PAM gurus, I am seeing some strange issues when I attempt to use MD5 password hashing from my Red Hat Linux servers. I am running OpenLDAP client (openldap-clients.2.3.43-3) with PAM (pam-0.99.6.2-6) on RHel5, and using the ppolicy overlay in the OpenLDAP server. I have the following: In /etc/ldap.conf: pam_password md5 pam_lookup_policy yes In /etc/pam.d/system-auth: password requisite /lib/security/$ISA/pam_cracklib.so retry=3 lcredit=-1 ucredit=-1 dcredit=-1 type=LDAP password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok (Note: I've tried added the 'md5' to the pam_ldap.so line as well, no help). Here's the problem: With this configuration, I NEVER see the client send the passwordPolicyRequest Request Control message (controlType 1.3.6.1.4.1.42.2.27.8.5.1) in any LDAP request, thus the LDAP server never returns the password status (expired, etc.). I've also noticed that the password in LDAP shows something like "{crypt}Fe9RyjhrMaom.". So, as far as the users are concerned, their passwords never expire. IF I change to use 'crypt' (or clear-text) instead of MD5, I see the Request Control in the LDAP bind from the Linux LDAP client, and password expiry notification works fine. OR, IF I change the password in LDAP manually to MD5 (using ldapadmin tool), where it shows something like "{MD5}rFyeI1Li1xieh1hj2lRvRw==", the Request Control is sent from the client. Any ideas? Is this a known bug? Thanks, Joe _________________________________________________________________ Windows 7: I wanted more reliable, now it's more reliable. Wow! http://microsoft.com/windows/windows-7/default-ga.aspx?h=myidea?ocid=PID24727::T:WLMTAGL:ON:WL:en-US:WWL_WIN_myidea:102009 _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list