|
Out of curiosity, is it working with md5?
In /etc/ldap.conf: pam_password md5 pam_lookup_policy yesThanks, Joe Date: Thu, 29 Sep 2011 15:54:01 +0200 Subject: Re: dirsrv, SSH and forcing password change at first login From: claudio.di.nardo@xxxxxxxxx To: pam-list@xxxxxxxxxx Hi all, (and hi Joe :P), I finally got it working! Setting password policy on a subtree or on a particular user is not enough to make it active: you have to enable that even on cn=config of your LDAP tree. In particular, in my configuration I have set those parameters on cn=config ---------------------------------------------------------- passwordCheckSyntax: on passwordExp: on passwordInHistory: 10 passwordisglobalpolicy: off passwordLockout: on passwordStorageScheme: SHA512 passwordMustChange: on ---------------------------------------------------------- Then, I leave to each "per sub-tree" or "per user" setting the duty to set all others in-deep policies, (e.g.: min password length 8 chars, min alpha chars, min digits, min caps...), which are requested. Plus, I updated the nss_ldap package to the latest release: apparently, in fact, RHEL 5.4 default package of nss_ldap suffers of a bug in passwords expiring, as explained here - http://rhn.redhat.com/errata/RHBA-2011-0097.html. Now I got correctly those messages user@ldap-client:[/root]# ssh ldap-user@ldap-client Password: Your LDAP password will expire in 1 hour. Last login: Thu Sep 29 15:21:58 2011 from xxx.xxx.xxx.xxx Remote kickstart on 2011-03-07 ldap-user@ldap-client:[/home/ldap-user]# as well as user@ldap-client:[/root]# ssh ldap-user@ldap-client Password: You are required to change your LDAP password immediately. Enter login(LDAP) password: Hope this could be useful for others. Cheers! :) Claudio _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list |
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
