OpenLDAP ppolicy + ubuntu clients expired passwords
[Date Prev][Date Next] [Thread Prev][Thread Next]OpenLDAP ppolicy + ubuntu clients expired passwords
- From: Rodrigo Arigita del Cacho <rarigita [at] damal.es>
- To: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: OpenLDAP ppolicy + ubuntu clients expired passwords
- Date: Mon, 18 Mar 2019 12:41:20 +0000
|
Hello Mr de Jong, I am Mr. Arigita, from Spain. I’m stuck with a problem with nslcd and I need help. Before writing here I spent many days searching the web for a solution to my problem without success: I have a multimaster Openldap setup with ppolicy overlay. Users are forced to change expired passwords. I managed to make all clients to display and prompt for a new password in a nss-pam-ldap normal configuration (/etc/ldap.conf). However,
I was limited in filters and I found your packages (nss-pam-ldapd) which helped me to define better group, passwd and authz filters. So I shitched and started using your nslcd daemon and tools. But now I do not get any password expired warning and no password
change prompt is displayed on the client’s machines while login in with expired passwords through ssh. For testing I removed all filters and left a simple nslcd.conf file: /etc/nslcd.conf: uid nslcd gid nslcd uri ldap://temis/ base dc=domain ldap_version 3 binddn cn=leoldap,dc=coop,dc=consum,dc=es bindpw leoldap ssl start_tls tls_reqcert allow tls_cacertfile /etc/ssl/certs/ca-certificates.crt The situation is as follows:
Here are some configs and dumps:
dn: olcOverlay={4}ppolicy,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcPPolicyConfig olcOverlay: {4}ppolicy olcPPolicyDefault: cn=PWUsuarios,ou=Politicas,ou=Seguridad,ou=Grupos,dc=domain olcPPolicyHashCleartext: TRUE olcPPolicyUseLockout: FALSE olcPPolicyForwardUpdates: FALSE
dn: cn=PWUsuarios,ou=Politicas,ou=Seguridad,ou=Grupos,dc=domain cn: PWUsuarios objectClass: pwdPolicy objectClass: device objectClass: top objectClass: pwdPolicyChecker pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckModule: pqchecker.so pwdCheckQuality: 2 pwdFailureCountInterval: 0 pwdInHistory: 3 pwdLockoutDuration: 3600 pwdMaxFailure: 3 pwdMinLength: 10 pwdMustChange: TRUE pwdMaxAge: 120 pwdExpireWarning: 120 pwdGraceAuthNLimit: 1 pwdLockout: TRUE dn: cn=PWApps,ou=Politicas,ou=Seguridad,ou=Grupos,dc=domain cn: PWApps objectClass: pwdPolicy objectClass: device objectClass: top objectClass: pwdPolicyChecker pwdAllowUserChange: FALSE pwdAttribute: userPassword pwdCheckModule: pqchecker.so pwdCheckQuality: 2 pwdFailureCountInterval: 0 pwdGraceAuthNLimit: 0 pwdLockoutDuration: 0 pwdMaxFailure: 3 pwdMinLength: 8
nslcd: DEBUG: NSS_LDAP nss-pam-ldapd 0.9.9 nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,allow) nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_CACERTFILE,"/etc/ssl/certs/ca-certificates.crt") nslcd: DEBUG: CFG: threads 5 nslcd: DEBUG: CFG: uid nslcd nslcd: DEBUG: CFG: gid 131 nslcd: DEBUG: CFG: uri ldap://temis/ nslcd: DEBUG: CFG: ldap_version 3 nslcd: DEBUG: CFG: binddn cn=leoldap,dc=domain nslcd: DEBUG: CFG: bindpw *** nslcd: DEBUG: CFG: base dc=domain nslcd: DEBUG: CFG: scope sub nslcd: DEBUG: CFG: deref never nslcd: DEBUG: CFG: referrals yes nslcd: DEBUG: CFG: filter aliases (objectClass=nisMailAlias) nslcd: DEBUG: CFG: filter ethers (objectClass=ieee802Device) nslcd: DEBUG: CFG: filter group (objectClass=posixGroup) nslcd: DEBUG: CFG: filter hosts (objectClass=ipHost) nslcd: DEBUG: CFG: filter netgroup (objectClass=nisNetgroup) nslcd: DEBUG: CFG: filter networks (objectClass=ipNetwork) nslcd: DEBUG: CFG: filter passwd (objectClass=posixAccount) nslcd: DEBUG: CFG: filter protocols (objectClass=ipProtocol) nslcd: DEBUG: CFG: filter rpc (objectClass=oncRpc) nslcd: DEBUG: CFG: filter services (objectClass=ipService) nslcd: DEBUG: CFG: filter shadow (objectClass=shadowAccount) nslcd: DEBUG: CFG: map group userPassword "*" nslcd: DEBUG: CFG: map passwd userPassword "*" nslcd: DEBUG: CFG: map passwd gecos "${gecos:-$cn}" nslcd: DEBUG: CFG: map shadow userPassword "*" nslcd: DEBUG: CFG: map shadow shadowLastChange "${shadowLastChange:--1}" nslcd: DEBUG: CFG: map shadow shadowMin "${shadowMin:--1}" nslcd: DEBUG: CFG: map shadow shadowMax "${shadowMax:--1}" nslcd: DEBUG: CFG: map shadow shadowWarning "${shadowWarning:--1}" nslcd: DEBUG: CFG: map shadow shadowInactive "${shadowInactive:--1}" nslcd: DEBUG: CFG: map shadow shadowExpire "${shadowExpire:--1}" nslcd: DEBUG: CFG: map shadow shadowFlag "${shadowFlag:-0}" nslcd: DEBUG: CFG: pam_authc_ppolicy yes nslcd: DEBUG: CFG: bind_timelimit 10 nslcd: DEBUG: CFG: timelimit 0 nslcd: DEBUG: CFG: idle_timelimit 0 nslcd: DEBUG: CFG: reconnect_sleeptime 1 nslcd: DEBUG: CFG: reconnect_retrytime 10 nslcd: DEBUG: CFG: ssl start_tls nslcd: DEBUG: CFG: tls_reqcert allow nslcd: DEBUG: CFG: tls_cacertfile /etc/ssl/certs/ca-certificates.crt nslcd: DEBUG: CFG: pagesize 0 nslcd: DEBUG: CFG: nss_initgroups_ignoreusers kernoops,bin,whoopsie,systemd-network,nslcd,cups-pk-helper,hplip,pulse,rou,daemon,colord,avahi,messagebus,xrdp,backup,gnome-initial-setup,mysql,irc,man,openldap,new... nslcd: DEBUG: CFG: nss_min_uid 0 nslcd: DEBUG: CFG: nss_uid_offset 0 nslcd: DEBUG: CFG: nss_gid_offset 0 nslcd: DEBUG: CFG: nss_nested_groups no nslcd: DEBUG: CFG: nss_getgrent_skipmembers no nslcd: DEBUG: CFG: nss_disable_enumeration no nslcd: DEBUG: CFG: validnames /^[a-z0-9._@$()]([a-z0-9._@$() \~-]*[a-z0-9._@$()~-])?$/i nslcd: DEBUG: CFG: ignorecase no nslcd: DEBUG: CFG: pam_authc_search BASE nslcd: DEBUG: CFG: cache dn2uid 15m 15m nslcd: version 0.9.9 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: initgroups("nslcd",131) done nslcd: DEBUG: setgid(131) done nslcd: DEBUG: setuid(127) done nslcd: accepting connections nslcd: [8b4567] DEBUG: connection from pid=101098 uid=0 gid=0 nslcd: [8b4567] <passwd="rarigita"> DEBUG: myldap_search(base="dc=domain", filter="(&(objectClass=posixAccount)(uid=rarigita))") nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_initialize(ldap://temis/) nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_rebind_proc() nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_start_tls_s() nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_simple_bind_s("cn=leoldap,dc=domain","***") (uri="ldap://temis/") nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_result(): cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain nslcd: [8b4567] <passwd="rarigita"> (re)loading /etc/nsswitch.conf nslcd: [8b4567] <passwd="rarigita"> DEBUG: ldap_result(): end of results (1 total) nslcd: [7b23c6] DEBUG: connection from pid=101098 uid=0 gid=0 nslcd: [7b23c6] <passwd="rarigita"> DEBUG: myldap_search(base="dc=domain", filter="(&(objectClass=posixAccount)(uid=rarigita))") nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_initialize(ldap://temis/) nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_rebind_proc() nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_start_tls_s() nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_simple_bind_s("cn=leoldap,dc=domain","***") (uri="ldap://temis/") nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_result(): cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain nslcd: [7b23c6] <passwd="rarigita"> DEBUG: ldap_result(): end of results (1 total) nslcd: [3c9869] DEBUG: connection from pid=101098 uid=0 gid=0 nslcd: [3c9869] <shadow="rarigita"> DEBUG: myldap_search(base="dc=domain", filter="(&(objectClass=shadowAccount)(uid=rarigita))") nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_initialize(ldap://temis/) nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_rebind_proc() nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_start_tls_s() nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_simple_bind_s("cn=leoldap,dc=domain","***") (uri="ldap://temis/") nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_result(): cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain nslcd: [3c9869] <shadow="rarigita"> DEBUG: ldap_result(): end of results (1 total) nslcd: [334873] DEBUG: connection from pid=101098 uid=0 gid=0 nslcd: [334873] <passwd="rarigita"> DEBUG: myldap_search(base="dc=domain", filter="(&(objectClass=posixAccount)(uid=rarigita))") nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_initialize(ldap://temis/) nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_rebind_proc() nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_start_tls_s() nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_simple_bind_s("cn=leoldap,dc=domain","***") (uri="ldap://temis/") nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_result(): cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain nslcd: [334873] <passwd="rarigita"> DEBUG: ldap_result(): end of results (1 total) nslcd: [b0dc51] DEBUG: connection from pid=101098 uid=0 gid=0 nslcd: [b0dc51] <authc="rarigita"> DEBUG: nslcd_pam_authc("rarigita","sshd","***") nslcd: [b0dc51] <authc="rarigita"> DEBUG: myldap_search(base="dc=domain", filter="(&(objectClass=posixAccount)(uid=rarigita))") nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_initialize(ldap://temis/) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_rebind_proc() nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_start_tls_s() nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_simple_bind_s("cn=leoldap,dc=domain","***") (uri="ldap://temis/") nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_result(): cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain nslcd: [b0dc51] <authc="rarigita"> DEBUG: myldap_search(base="cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain", filter="(objectClass=*)") nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_initialize(ldap://temis/) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_rebind_proc() nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_start_tls_s() nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_sasl_bind("cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain","***") (uri="ldap://temis/") (ppolicy=yes) nslcd: [b0dc51] <authc="rarigita"> DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password expired) nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_parse_result() result: Invalid credentials nslcd: [b0dc51] <authc="rarigita"> DEBUG: failed to bind to LDAP server ldap://temis/: Invalid credentials nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_unbind() nslcd: [b0dc51] <authc="rarigita"> cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain: Invalid credentials nslcd: [b0dc51] <authc="rarigita"> cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain: Password expired nslcd: [495cff] DEBUG: connection from pid=101160 uid=0 gid=0 nslcd: [495cff] <group/member="root"> DEBUG: ignored group member
Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 fd=21 ACCEPT from IP=10.6.22.124:44996 (IP=10.6.22.121:389) Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=0 STARTTLS Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=0 RESULT oid= err=0 text= Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 fd=21 TLS established tls_ssf=256 ssf=256 Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=1 BIND dn="cn=leoldap,dc=domain" method=128 Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=1 BIND dn="cn=leoldap,dc=domain" mech=SIMPLE ssf=0 Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=1 RESULT tag=97 err=0 text= Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=2 SRCH base="dc=domain" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=rarigita))" Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=2 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber loginShell Mar 18 13:27:36 CarlosIs99 slapd[1757]: conn=6320 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 fd=22 ACCEPT from IP=10.6.22.124:45032 (IP=10.6.22.121:389) Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=0 STARTTLS Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=0 RESULT oid= err=0 text= Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 fd=22 TLS established tls_ssf=256 ssf=256 Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=1 BIND dn="cn=leoldap,dc=domain" method=128 Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=1 BIND dn="cn=leoldap,dc=domain" mech=SIMPLE ssf=0 Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=1 RESULT tag=97 err=0 text= Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=2 SRCH base="dc=domain" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=rarigita))" Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=2 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber loginShell Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6321 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6322 fd=23 ACCEPT from IP=10.6.22.124:45036 (IP=10.6.22.121:389) Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6322 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6322 op=0 STARTTLS Mar 18 13:27:41 CarlosIs99 slapd[1757]: conn=6322 op=0 RESULT oid= err=0 text= Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 fd=23 TLS established tls_ssf=256 ssf=256 Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 op=1 BIND dn="cn=leoldap,dc=domain" method=128 Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 op=1 BIND dn="cn=leoldap,dc=domain" mech=SIMPLE ssf=0 Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 op=1 RESULT tag=97 err=0 text= Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 op=2 SRCH base="dc=domain" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=rarigita))" Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 op=2 SRCH attr=shadowFlag shadowMax shadowMin shadowLastChange uid shadowExpire shadowInactive shadowWarning Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6322 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 fd=24 ACCEPT from IP=10.6.22.124:45038 (IP=10.6.22.121:389) Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 op=0 STARTTLS Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 op=0 RESULT oid= err=0 text= Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 fd=24 TLS established tls_ssf=256 ssf=256 Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 op=1 BIND dn="cn=leoldap,dc=domain" method=128 Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 op=1 BIND dn="cn=leoldap,dc=domain" mech=SIMPLE ssf=0 Mar 18 13:27:42 CarlosIs99 slapd[1757]: conn=6323 op=1 RESULT tag=97 err=0 text= Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6323 op=2 SRCH base="dc=domain" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=rarigita))" Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6323 op=2 SRCH attr=uidNumber cn gecos uid objectClass homeDirectory gidNumber loginShell Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6323 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6320 op=3 SRCH base="dc=domain" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=rarigita))" Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6320 op=3 SRCH attr=uid uidNumber Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6320 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 fd=25 ACCEPT from IP=10.6.22.124:45050 (IP=10.6.22.121:389) Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=0 STARTTLS Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=0 RESULT oid= err=0 text= Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 fd=25 TLS established tls_ssf=256 ssf=256 Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=1 BIND dn="cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain" method=128 Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=1 BIND dn="cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain" mech=SIMPLE ssf=0 Mar 18 13:27:43 CarlosIs99 slapd[1757]: ppolicy_bind: Entry cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain has an expired password: 0 grace logins Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=1 RESULT tag=97 err=49 text= Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=2 UNBIND Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 fd=25 closed Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6320 op=4 ABANDON msg=4 Groups are posixGroups, accounts are posixAccount, shadowAccount and inetOrgPerson. But I don’t get any password expired password notification at the ssh login prompt. Is this normal. I have read plenty of posts about this and I belive
it must be working. Password expired and password change prompt is working on nss-pam-ldap config. Can you provide advice or help? Itwould be greatly appreciated. I’m 3 days testing nslcd without success to display expired password message at ssh login prompt.
Also, would this be supported on debian 7 and Ubuntu 14? We have few older setups in our network. Thanks you. ----
ADVERTENCIA LEGAL: De conformidad con lo dispuesto en la Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal y en la Ley 34/2002, de 11 de julio, de Servicios de la Sociedad de la Información y de Comercio Electrónico, le comunicamos que los datos de carácter personal utilizados en este envío están incluidos en el fichero "Clientes-Proveedores" cuya titularidad ostenta Damal Redes, S.L. con domicilio en la calle Jalance, 12, 46022, Valencia. Puede ejercer sus derechos de acceso, rectificación, cancelación y oposición mediante comunicación escrita a Damal Redes, S.L. en la dirección indicada o en el correo electrónico remitente. Le notificamos que este mensaje va dirigido exclusivamente a la persona designada como destinatario y que la información que contiene es confidencial. Si Usted ha recibido este mensaje por error le rogamos nos lo comunique mediante correo electrónico remitido a nuestra atención y proceda a su eliminación así como a la de cualquier documento adjunto al mismo, quedando prohibida cualquier divulgación, distribución o copia del mismo. |
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see https://lists.arthurdejong.org/nss-pam-ldapd-users/
- OpenLDAP ppolicy + ubuntu clients expired passwords, Rodrigo Arigita del Cacho
- OpenLDAP ppolicy + ubuntu clients expired passwords,
Rodrigo Arigita del Cacho
- OpenLDAP ppolicy + ubuntu clients expired passwords, Rodrigo Arigita del Cacho
- <Possible follow-ups>
- OpenLDAP ppolicy + ubuntu clients expired passwords, Rodrigo Arigita del Cacho
- Prev by Date: Re: Support OTP
- Next by Date: Overhead if we have single nsswitch.conf for ldap/linux users
- Previous by thread: Re: Support OTP
- Next by thread: OpenLDAP ppolicy + ubuntu clients expired passwords