lists.arthurdejong.org
RSS feed

Re: nslcd + ppolicy expired passwords notifications and change prompt

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: nslcd + ppolicy expired passwords notifications and change prompt

Hi, my question requires a simple boolean answer:

 

Does current versiĆ³n of nslcd + libraries support password change on ssh prompt when login in with expired password controlled by ppolicy?

 

YES | NO ?

 

It does work if I set the pwdReset attribute to TRUE on a user object, but not if the ppolicy sets the password as expired.

 

With pwdReset TRUE, on nslcd -d  

I get: LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed) it asks for password change

else I get: LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password expired) Login denied, no password change.

 

Can you confirm this is the normal behabior of your packages?, Or am I missing some param somewhere (pam, nss, nslcd, etc)?:

 

Thank you.

 

Configs and logs:

 

Ppolicy default:

 

dn: cn=PWUsuarios,ou=Politicas,ou=Seguridad,ou=Grupos,dc=domain

cn: PWUsuarios

objectClass: pwdPolicy

objectClass: device

objectClass: top

objectClass: pwdPolicyChecker

pwdAllowUserChange: TRUE

pwdAttribute: userPassword

pwdCheckModule: pqchecker.so

pwdCheckQuality: 2

pwdFailureCountInterval: 0

pwdInHistory: 3

pwdLockoutDuration: 3600

pwdMaxFailure: 3

pwdMinLength: 10

pwdMustChange: TRUE

pwdMaxAge: 120

pwdExpireWarning: 120

pwdGraceAuthNLimit: 1

pwdLockout: FALSE

 

 

nslcd -d

 

[b0dc51] <authc="rarigita"> DEBUG: ldap_initialize(ldap://temis/)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_rebind_proc()
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_start_tls_s()
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_sasl_bind("cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain","***") (uri="ldap://temis/") (ppolicy=yes)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password expired)
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_parse_result() result: Invalid credentials
nslcd: [b0dc51] <authc="rarigita"> DEBUG: failed to bind to LDAP server ldap://temis/: Invalid credentials
nslcd: [b0dc51] <authc="rarigita"> DEBUG: ldap_unbind()

 

 

slapd log:

 

Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=1 BIND dn="cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain" method=128
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=1 BIND dn="cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain" mech=SIMPLE ssf=0
Mar 18 13:27:43 CarlosIs99 slapd[1757]: ppolicy_bind: Entry cn=Rodrigo Arigita,ou=Usuarios,ou=Bandam,ou=Externos,dc=domain has an expired password: 0 grace logins
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=1 RESULT tag=97 err=49 text=
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 op=2 UNBIND
Mar 18 13:27:43 CarlosIs99 slapd[1757]: conn=6324 fd=25 closed