RE: dirsrv, SSH and forcing password change at first login

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Out of curiosity, is it working with md5?

In /etc/ldap.conf:
pam_password md5
pam_lookup_policy yes

Date: Thu, 29 Sep 2011 15:54:01 +0200
Subject: Re: dirsrv, SSH and forcing password change at first login
From: claudio.di.nardo@xxxxxxxxx
To: pam-list@xxxxxxxxxx

Hi all, (and hi Joe :P),

I finally got it working!
Setting password policy on a subtree or on a particular user is not enough to make it active: you have to enable that even on cn=config of your LDAP tree.
In particular, in my configuration I have set those parameters on cn=config

passwordCheckSyntax: on
passwordExp: on
passwordInHistory: 10
passwordisglobalpolicy: off
passwordLockout: on
passwordStorageScheme: SHA512
passwordMustChange: on

Then, I leave to each "per sub-tree" or "per user" setting the duty to set all others in-deep policies, (e.g.: min password length 8 chars, min alpha chars, min digits, min caps...), which are requested.
Plus, I updated the nss_ldap package to the latest release: apparently, in fact, RHEL 5.4 default package of nss_ldap suffers of a bug in passwords expiring, as explained here -
Now I got correctly those messages

user@ldap-client:[/root]# ssh ldap-user@ldap-client
Your LDAP password will expire in 1 hour.
Last login: Thu Sep 29 15:21:58 2011 from

Remote kickstart on 2011-03-07


as well as

user@ldap-client:[/root]# ssh ldap-user@ldap-client
You are required to change your LDAP password immediately.
Enter login(LDAP) password:

Hope this could be useful for others.
Cheers! :)


_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx
Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux