RSS feed

nss-pam-ldapd and the pwdExpireWarning attribute of OpenLDAP's ppolicy overlay

[Date Prev][Date Next] [Thread Prev][Thread Next]

nss-pam-ldapd and the pwdExpireWarning attribute of OpenLDAP's ppolicy overlay

Hi folks,

I am working on implementing the ppolicy overlay to solve some compliance 
issues.  As part of that implementation, I
chose to set the pwdExpireWarning attribute, which will send a message to 
anybody authenticating to the directory to let
them know that their password is going to expire.  The conversational message 
would look something like this when
SSH-ing in to a Linux box:

 # ssh -o PubkeyAuthentication=no foo@ldapmaster5
foo@ldapmaster5's password:
You are required to change your LDAP password immediately.
Last login: Tue Dec 28 10:06:53 2010 from foolaptop
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user foo.
Enter login(LDAP) password:
New password:
Retype new password:

However, in order for people to be able to receive that message, they must send 
a ppolicy control with the bind request.
 Using ldapsearch as an example, one would use the -e flag to send this control 
using the proper extension:

# ldapsearch -x -ZZ -LLL -D uid=foo,ou=Users,dc=example,dc=com -e ppolicy -W 
'(uid=foo)' uid
Enter LDAP Password:
ldap_bind: Success (0) (Password expires in 2268 seconds)
dn: uid=foo,ou=Users,dc=example,dc=com
uid: foo

I was not able to find any documentation for this in the nslcd man page or 
reference material, though it's entirely
possible I just overlooked it.  So, this begs the question: is it possible to 
send ppolicy controls when binding to the
slapd server through libnss-ldapd/nslcd?  If not, how are others compensating 
for this?

Thanks for any and all advice,

To unsubscribe send an email to or see