expired password reset prompt (0.9.2, ppolicy)

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: "Trent W. Buck" <twb [at] cyber.com.au>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: expired password reset prompt (0.9.2, ppolicy)
Date: Wed, 23 Apr 2014 12:55:33 +1000

My users login at xdm.
When their password is expired,
I expect xdm to say something like

    Password has expired!
    Old password:
    New password:
    New password again: ...

then reset their password and continue to their normal X session.

My server was and is running Ubuntu 10.04 / slapd 2.4.21.

With client running Ubuntu 10.04 / PADL, it worked -- though I was
overriding /etc/pam.d/common-* to *only* try ldap auth, because
use_first_pass wasn't working with unix before ldap.

With client running Debian 7 / nss-pam-ldapd 0.9.2-1wheezy1 (that I
backported myself), it doesn't work, I just get

    Login incorrect or forbidden by policy.

I'm using ppolicy, my policy is below.
(Normally pwdMaxAge is much higher;
I decrease it during testing.)

    dn: cn=policy,o=PrisonPC
    objectClass: pwdPolicy
    objectClass: device
    pwdAttribute: userPassword
    pwdExpireWarning: 604800
    pwdInHistory: 2
    pwdCheckQuality: 2
    pwdMinLength: 8
    pwdMaxFailure: 4
    pwdLockout: TRUE
    pwdLockoutDuration: 1800
    pwdFailureCountInterval: 300
    pwdMustChange: TRUE
    pwdAllowUserChange: TRUE
    pwdSafeModify: FALSE
    cn: policy
    pwdMaxAge: 120

Using nslcd -d, this is what I see:

    nslcd: [8b4567] DEBUG: connection from pid=3549 uid=0 gid=0
    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
    nslcd: [8b4567] <passwd="p"> DEBUG: myldap_search(base="o=PrisonPC", 
filter="(&(objectClass=posixAccount)(uid=p))")
    nslcd: [8b4567] <passwd="p"> DEBUG: ldap_initialize(ldap://ldap/)
    nslcd: [8b4567] <passwd="p"> DEBUG: ldap_set_rebind_proc()
    nslcd: [8b4567] <passwd="p"> DEBUG: 
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
    nslcd: [8b4567] <passwd="p"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
    nslcd: [8b4567] <passwd="p"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
    nslcd: [8b4567] <passwd="p"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
    nslcd: [8b4567] <passwd="p"> DEBUG: 
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
    nslcd: [8b4567] <passwd="p"> DEBUG: 
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
    nslcd: [8b4567] <passwd="p"> DEBUG: 
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
    nslcd: [8b4567] <passwd="p"> DEBUG: ldap_simple_bind_s(NULL,NULL) 
(uri="ldap://ldap/";)
    nslcd: [8b4567] <passwd="p"> DEBUG: ldap_result(): 
uid=p,ou=people,o=PrisonPC
    nslcd: [8b4567] <passwd="p"> DEBUG: ldap_result(): end of results (1 total)
    nslcd: [7b23c6] DEBUG: connection from pid=2990 uid=0 gid=0
    nslcd: DEBUG: accept() failed (ignored): Resource temporarily unavailable
    nslcd: [7b23c6] <authc="p"> DEBUG: nslcd_pam_authc("p","xdm","***")
    nslcd: [7b23c6] <authc="p"> DEBUG: myldap_search(base="o=PrisonPC", 
filter="(&(objectClass=posixAccount)(uid=p))")
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_initialize(ldap://ldap/)
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_set_rebind_proc()
    nslcd: [7b23c6] <authc="p"> DEBUG: 
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
    nslcd: [7b23c6] <authc="p"> DEBUG: 
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
    nslcd: [7b23c6] <authc="p"> DEBUG: 
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
    nslcd: [7b23c6] <authc="p"> DEBUG: 
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_simple_bind_s(NULL,NULL) 
(uri="ldap://ldap/";)
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_result(): uid=p,ou=people,o=PrisonPC
    nslcd: [7b23c6] <authc="p"> DEBUG: 
myldap_search(base="uid=p,ou=people,o=PrisonPC", filter="(objectClass=*)")
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_initialize(ldap://ldap/)
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_set_rebind_proc()
    nslcd: [7b23c6] <authc="p"> DEBUG: 
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
    nslcd: [7b23c6] <authc="p"> DEBUG: 
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
    nslcd: [7b23c6] <authc="p"> DEBUG: 
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
    nslcd: [7b23c6] <authc="p"> DEBUG: 
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
    nslcd: [7b23c6] <authc="p"> DEBUG: 
ldap_sasl_bind("uid=p,ou=people,o=PrisonPC","***") (uri="ldap://ldap/";)
    nslcd: [7b23c6] <authc="p"> ldap_parse_result() failed: Invalid credentials
    nslcd: [7b23c6] <authc="p"> DEBUG: failed to bind to LDAP server 
ldap://ldap/: Invalid credentials
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_unbind()
    nslcd: [7b23c6] <authc="p"> uid=p,ou=people,o=PrisonPC: lookup failed: 
Invalid credentials
    nslcd: [7b23c6] <authc="p"> DEBUG: myldap_search(base="o=PrisonPC", 
filter="(&(objectClass=shadowAccount)(uid=p))")
    nslcd: [7b23c6] <authc="p"> DEBUG: ldap_result(): end of results (0 total)

My nslcd config is straightforward:

    # cat /etc/nslcd.conf
    uid nslcd
    gid nslcd
    uri ldap://ldap/
    base o=PrisonPC
    pam_authz_search 
(&(objectClass=posixGroup)(cn=prisoners)(memberUid=$username))

My pam config is the default that pam-auth-update created:

    # grep -vE '^[[:space:]]*(#|$)' 
/etc/pam.d/{xdm,common-{auth,account,session,password}}
    /etc/pam.d/xdm:auth             requisite       pam_nologin.so
    /etc/pam.d/xdm:auth             required        pam_env.so
    /etc/pam.d/xdm:auth             required        pam_env.so 
envfile=/etc/default/locale
    /etc/pam.d/xdm:session          required        pam_limits.so
    /etc/pam.d/xdm:@include common-auth
    /etc/pam.d/xdm:@include common-account
    /etc/pam.d/xdm:@include common-session
    /etc/pam.d/xdm:@include common-password
    /etc/pam.d/common-auth:auth     [success=2 default=ignore]      pam_unix.so 
nullok_secure
    /etc/pam.d/common-auth:auth     [success=1 default=ignore]      pam_ldap.so 
minimum_uid=1000 use_first_pass
    /etc/pam.d/common-auth:auth     requisite                       pam_deny.so
    /etc/pam.d/common-auth:auth     required                        
pam_permit.so
    /etc/pam.d/common-account:account       [success=1 new_authtok_reqd=done 
default=ignore]        pam_unix.so
    /etc/pam.d/common-account:account       requisite                       
pam_deny.so
    /etc/pam.d/common-account:account       required                        
pam_permit.so
    /etc/pam.d/common-account:account       [success=ok new_authtok_reqd=done 
ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]        
pam_ldap.so minimum_uid=1000
    /etc/pam.d/common-session:session       [default=1]                     
pam_permit.so
    /etc/pam.d/common-session:session       requisite                       
pam_deny.so
    /etc/pam.d/common-session:session       required                        
pam_permit.so
    /etc/pam.d/common-session:session       required        pam_unix.so
    /etc/pam.d/common-session:session       [success=ok default=ignore]     
pam_ldap.so minimum_uid=1000
    /etc/pam.d/common-password:password     [success=2 default=ignore]      
pam_unix.so obscure sha512
    /etc/pam.d/common-password:password     [success=1 default=ignore]      
pam_ldap.so minimum_uid=1000 try_first_pass
    /etc/pam.d/common-password:password     requisite                       
pam_deny.so
    /etc/pam.d/common-password:password     required                        
pam_permit.so

Users *can* log in normally, and they *can* reset their password
manually ahead of time -- I'm currently using userpasswd from the
"usermode" package to let them do this from the GUI.

Here's what my test user "p" looks like (inc. operational attributes):

    # slapcat -a uid=p
    dn: uid=p,ou=people,o=PrisonPC
    uid: p
    uidNumber: 4096
    homeDirectory: /home/prisoners/p
    objectClass: posixAccount
    objectClass: inetOrgPerson
    cn: P
    sn: P
    gidNumber: 4096
    loginShell: /bin/false
    structuralObjectClass: inetOrgPerson
    entryUUID: c04fdcc8-f73e-1032-9cae-eb4cefc61179
    creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    createTimestamp: 20131212060239Z
    pwdHistory: 
20140423012817Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}ZRLBzACjf3G
     OiTjLCFlqHj89VdEls8SS
    pwdHistory: 
20140423012826Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}HicvRK396rH
     JeW0hm6P1wG1+4j4HbIqo
    manager: uid=cyber,ou=people,o=prisonpc
    description: WAFFLE WAFFLE WAFFLE
    gecos: C
    userPassword:: e1NTSEF9VXRaeTA1YnpWZUZTOWNidFNUV01DTFV5L3g4MzdPa0s=
    pwdChangedTime: 20140423012826Z
    entryCSN: 20140423012826.647742Z#000000#000#000000
    modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
    modifyTimestamp: 20140423012826Z

Any suggestions?

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

expired password reset prompt (0.9.2, ppolicy), Trent W. Buck

Re: expired password reset prompt (0.9.2, ppolicy), Arthur de Jong
- Re: expired password reset prompt (0.9.2, ppolicy), Trent W. Buck
  - Re: expired password reset prompt (0.9.2, ppolicy), Arthur de Jong
    - Re: expired password reset prompt (0.9.2, ppolicy), Trent W. Buck

Prev by Date: Re: error opening connection to nslcd
Next by Date: backport 0.9.3-1 to debian 7
Previous by thread: Re: error opening connection to nslcd
Next by thread: Re: expired password reset prompt (0.9.2, ppolicy)