OpenLDAP, nss_ldap, pam_ldap and shadow account info
I am about to put a new LDAP server into production and found that the shadow account information is not being used from the LDAP server. I need to limit the life of a users passwords and provide warning when the password is close to expiration. I have added objectClass: shadowAccount and updated shadowMax, shadowMin, shadowInactive, and shadowWarning for all users in the LDAP database. I am using nss_ldap with /etc/nsswitch.conf as follows:
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns ldap
services: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
automount: files ldap
aliases: files
sendmailvars: files
netgroup: files nis
I have set up /etc/pam.d/system-auth with pam_ldap:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_unix.so
account sufficient /lib/security/pam_ldap.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
If I run the command 'getent shadow', only the local users show up with shadow data though the LDAP users are shown:
localuser:$1$yfaTi6eZ$FYmr3xcsx7olyJaucn3F91:12593:0:180:7:::
ldapuser::x:::::::0
Does nss_ldap and/or pam_ldap support shadow account info to limit password life? Is there something else I need to do to get shadow info to work properly?
Thanks,
Patrick
|