RE: nslcd + ppolicy expired passwords notifications and change prompt

[Rodrigo Arigita del Cacho <rarigita [at] damal.es>]

Thanks for replying. See my comments bellow:

>> Does current versión of nslcd + libraries support password change on 
>> ssh prompt when login in with expired password controlled by ppolicy?

>It should but there could be bugs as the code errs towards denying access if 
>there is confusion.

>> With pwdReset TRUE, on nslcd -d
>> I get: LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed) 
>> it asks for password change else I get: 
>> LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password expired) Login denied, 
>> no password change.

>I don't understand, do you get both messages on one login? The second message 
>seems to suggest that the password is no longer valid and cannot be used for 
>authentication.

NO, I get either LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed) 
if I set pwdReset attribute to the user account OR
I get LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password expired) if no pwdReset 
attribute and password is expired by ppolicy.

To my idea, if the nslcd Daemon receives a LDAP_CONTROL_PASSWORDPOLICYRESPONSE 
(Password expired), it should at least allow for password change, unless admin 
sets a LOCK on the user account or changes the password to something that the 
user does not know, thus throwing an error and Invalid Login.


>There relevant code and logic is here:
>https://arthurdejong.org/git/nss-pam-ldapd/tree/nslcd/myldap.c#n470

>Btw, which version of nss-pam-ldapd are you using?

I'm testing both v.0.9.9 and v.0.9.10 with support for ppolicy.


--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --