LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 03-26-2012, 08:50 PM   #1
clcbluemont
Member
 
Registered: Feb 2009
Distribution: Slackware
Posts: 87

Rep: Reputation: 15
OpenLDAP passwords expiring immediately


I am running OpenLDAP as packaged for CentOS 5 and having problems with passwords expiring.

Users are being told every time they login that their password has expired and to change their password. When a user's OpenLDAP account ShadowMax is changed to 99999 their passwords are not expiring. But when I change back to 90 days the problem is there again. ShadowLastChange is updating to the correct date when they input a new password. Thank you for you time and input as to why this might be occurring.
 
Old 03-27-2012, 10:36 AM   #2
clcbluemont
Member
 
Registered: Feb 2009
Distribution: Slackware
Posts: 87

Original Poster
Rep: Reputation: 15
I am able to login fine after I change my password, but I have to change my password every time I log in, /var/log/secure:

Mar 27 11:28:28 ldap login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=john
Mar 27 11:28:28 ldap login: pam_unix(login:account): expired password for user john (password aged)
Mar 27 11:28:28 ldap login: pam_unix(login:chauthtok): user "john" does not exist in /etc/passwd
Mar 27 11:28:46 ldap login: pam_unix(login:chauthtok): user "john" does not exist in /etc/passwd
Mar 27 11:28:46 ldap login: pam_unix(login:session): session opened for user john by LOGIN(uid=0)
Mar 27 11:28:46 ldap login: LOGIN ON tty1 BY john

The CentOS generated /etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
 
Old 03-27-2012, 11:05 AM   #3
clcbluemont
Member
 
Registered: Feb 2009
Distribution: Slackware
Posts: 87

Original Poster
Rep: Reputation: 15
Users solely reside in OpenLDAP and when the user inputs their new password shadow is not being updated with the Last Change number, as illustrated by:
getent shadow
john:*::0:90:7:::

I have tried updating the password with passwd and it still does not update.
 
Old 03-27-2012, 04:57 PM   #4
clcbluemont
Member
 
Registered: Feb 2009
Distribution: Slackware
Posts: 87

Original Poster
Rep: Reputation: 15
When I set shadowMax to -1 the shadow is being updated:
getent shadow john
john:*::0::7:::

# john, People, gd-ldap.com
dn: uid=john,ou=People,dc=gd-ldap,dc=com
uid: john
cn: John Doe
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/john
gecos: John Doe
mail: john.doe@domain.com
userPassword:: e2NyeXB0fSQxJDg1JkIwY28uJGN2YmR2V2dyY0hPS1lQVVVZeFVGdi8=
shadowLastChange: 15426
shadowMax: -1




When I set the Last Change to 15419 and Max to 900 only the Max changes.
How do I get the last change in shadow to update?
getent shadow john
john:*::0:900:7:::

# john, People, gd-ldap.com
dn: uid=john,ou=People,dc=gd-ldap,dc=com
uid: john
cn: John Doe
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMin: 0
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/john
gecos: John Doe
mail: john.doe@domain.com
userPassword:: e2NyeXB0fSQxJDg1JkIwY28uJGN2YmR2V2dyY0hPS1lQVVVZeFVGdi8=
shadowLastChange: 15419
shadowMax: 900
 
Old 03-27-2012, 05:32 PM   #5
clcbluemont
Member
 
Registered: Feb 2009
Distribution: Slackware
Posts: 87

Original Poster
Rep: Reputation: 15
found my mistake. Somewhere along the line I had some problems with an account expiring and edited slapd.conf as follows:
access to attrs=userPassword,userLastChange
by dn="cn=Manager,dc=gd-ldap,dc=com" write
by self write
by * auth

access to *
by dn="cn=Manager,dc=gd-ldap,dc=com" write
by users read
by self write
by * read

I changed back to:
access to attrs=userPassword
by dn="cn=Manager,dc=gd-ldap,dc=com" write
by self write
by * auth
access to *
by dn="cn=Manager,dc=gd-ldap,dc=com" write
by users read
by self write
by * read

And now it works.
 
Old 03-28-2012, 04:38 PM   #6
clcbluemont
Member
 
Registered: Feb 2009
Distribution: Slackware
Posts: 87

Original Poster
Rep: Reputation: 15
For some reason it did not work again, so I added the following to /etc/openldap/slapd.conf
access to attrs=shadowLastChange
by * write
by * auth

Let us hope it works tomorrow.
 
  


Reply

Tags
authentication, openldap, pam


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] OpenLDAP SHA hashed passwords won't work h.ka Linux - Server 5 02-27-2011 05:27 PM
OpenLDAP and passwords Nr. 18 Linux - Software 1 01-13-2010 08:09 AM
LXer: OpenLDAP Quick Tips: Creating encrypted passwords LXer Syndicated Linux News 0 11-19-2008 01:40 PM
detecting expiring passwords jcivello Linux - General 1 12-02-2005 08:56 PM
expiring passwords in kerberos with AD acb67 Linux - Security 1 10-31-2003 01:22 PM


All times are GMT -5. The time now is 04:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration