lists.arthurdejong.org
RSS feed

Re: nss-pam-ldapd and the pwdExpireWarning attribute of OpenLDAP's ppolicy overlay

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nss-pam-ldapd and the pwdExpireWarning attribute of OpenLDAP's ppolicy overlay



Actually, it seems worse than that - none of the ppolicy controls relevant to 
expiry seem to be honored at login.  This
means that users have no idea their account passwords are going to expire until 
it's too late and they can't log in.  Is
this just a use case that isn't supported at this time?  Thanks as always for 
the advice.

-Ryan

Ryan Steele wrote:
> Hi folks,
> 
> I am working on implementing the ppolicy overlay to solve some compliance 
> issues.  As part of that implementation, I
> chose to set the pwdExpireWarning attribute, which will send a message to 
> anybody authenticating to the directory to let
> them know that their password is going to expire.  The conversational message 
> would look something like this when
> SSH-ing in to a Linux box:
> 
>  # ssh -o PubkeyAuthentication=no foo@ldapmaster5
> foo@ldapmaster5's password:
> You are required to change your LDAP password immediately.
> Last login: Tue Dec 28 10:06:53 2010 from foolaptop
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user foo.
> Enter login(LDAP) password:
> New password:
> Retype new password:
> 
> However, in order for people to be able to receive that message, they must 
> send a ppolicy control with the bind request.
>  Using ldapsearch as an example, one would use the -e flag to send this 
> control using the proper extension:
> 
> # ldapsearch -x -ZZ -LLL -D uid=foo,ou=Users,dc=example,dc=com -e ppolicy -W 
> '(uid=foo)' uid
> Enter LDAP Password:
> ldap_bind: Success (0) (Password expires in 2268 seconds)
> dn: uid=foo,ou=Users,dc=example,dc=com
> uid: foo
> 
> I was not able to find any documentation for this in the nslcd man page or 
> reference material, though it's entirely
> possible I just overlooked it.  So, this begs the question: is it possible to 
> send ppolicy controls when binding to the
> slapd server through libnss-ldapd/nslcd?  If not, how are others compensating 
> for this?
> 
> Thanks for any and all advice,
> Ryan
> 
> --
> To unsubscribe send an email to
> nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
> http://lists.arthurdejong.org/nss-pam-ldapd-users
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users