I finally got it working!
Setting password policy on a subtree or on a particular user is not enough to make it active: you have to enable that even on cn=config of your LDAP tree.
In particular, in my configuration I have set those parameters on cn=config
----------------------------------------------------------
passwordCheckSyntax: on
passwordExp: on
passwordInHistory: 10
passwordisglobalpolicy: off
passwordLockout: on
passwordStorageScheme: SHA512
passwordMustChange: on
----------------------------------------------------------
Then, I leave to each "per sub-tree" or "per user" setting the duty to set all others in-deep policies, (e.g.: min password length 8 chars, min alpha chars, min digits, min caps...), which are requested.
Plus, I updated the nss_ldap package to the latest release: apparently, in fact, RHEL 5.4 default package of nss_ldap suffers of a bug in passwords expiring, as explained here - http://rhn.redhat.com/errata/RHBA-2011-0097.html.
Now I got correctly those messages
user@ldap-client:[/root]# ssh ldap-user@ldap-client
Password:
Your LDAP password will expire in 1 hour.
Last login: Thu Sep 29 15:21:58 2011 from xxx.xxx.xxx.xxx
Remote kickstart on 2011-03-07
ldap-user@ldap-client:[/home/ldap-user]#
as well as
user@ldap-client:[/root]# ssh ldap-user@ldap-client
Password:
You are required to change your LDAP password immediately.
Enter login(LDAP) password:
Hope this could be useful for others.
Cheers! :)
Claudio
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
