RSS feed

RE: nslcd + ppolicy expired passwords notifications and change prompt

[Date Prev][Date Next] [Thread Prev][Thread Next]

RE: nslcd + ppolicy expired passwords notifications and change prompt

Thanks for replying. See my comments bellow:

>> Does current versiĆ³n of nslcd + libraries support password change on 
>> ssh prompt when login in with expired password controlled by ppolicy?

>It should but there could be bugs as the code errs towards denying access if 
>there is confusion.

>> With pwdReset TRUE, on nslcd -d
>> I get: LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed) 
>> it asks for password change else I get: 
>> LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password expired) Login denied, 
>> no password change.

>I don't understand, do you get both messages on one login? The second message 
>seems to suggest that the password is no longer valid and cannot be used for 

NO, I get either LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be changed) 
if I set pwdReset attribute to the user account OR
I get LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password expired) if no pwdReset 
attribute and password is expired by ppolicy.

To my idea, if the nslcd Daemon receives a LDAP_CONTROL_PASSWORDPOLICYRESPONSE 
(Password expired), it should at least allow for password change, unless admin 
sets a LOCK on the user account or changes the password to something that the 
user does not know, thus throwing an error and Invalid Login.

>There relevant code and logic is here:

>Btw, which version of nss-pam-ldapd are you using?

I'm testing both v.0.9.9 and v.0.9.10 with support for ppolicy.

-- arthur - - --