I have configured LDAP server on rhel7.2 3-4 months ago and that time it was working fine. URL which i used for configration is http://www.learnitguide.net/2016/01/...-on-rhel7.html.

I have created 3-4 ldapuser users namely ldapuser1,2,3,4 when i created the server.That time i was able to login on ldap clients.

But now i am unable to login in ldap client with these users.While logging in with ldapuser,after entering password it gives error as "Server unexpectly closed Network connection"

I have also changed ldap user password but still no vain.

If i create new LDAP users,i can login in LDAP client with that user.

I have tried this in all LDAP clients.In all clients ,i can login with new user created but cannot login with existing old ldap users.


Then on checking further,I came to know on seeing logs that "ldapuser1" has expired and is locked.

Date LDAPClient unix_chkpwd[10173]: password check failed for user (ldapuser1)
Date LDAPClient sshd[10160]: pam_unix(sshd:account): account ldapuser1 has expired (failed to change password)

Date LDAPClient sshd[10160]: pam_ldap(sshd:account): password expired 176 days ago, account locked 146 days ago; user=ldapuser1

Date LDAPClient sshd[10160]: Failed password for ldapuser1 from IPport 58854 ssh2

Date LDAPClient sshd[10160]: fatal: Access denied for user ldapuser1 by PAM account configuration [preauth]

Date LDAPClient sshd[10160]: PAM 1 more authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=IP user=ldapuser1


My Question is as below.

1. Besides logs,How to check if my ldap user is expired or not or going to expire.???is there any command for the same.
2. How to fix current issue.

1. Use ldapsearch to find the accounts that have expired, using pwdChangedTime.
where XXXX is the number of pwdMaxAge.
And you can use XXXX=pwdMaxAge-86400 for example, in order to find users 1 day before their password expires.


2. Use ldappasswd to give user a new password:

Thanks for the reply

For Point 1,i have executed beloow command on LDAP server but i didnt get any required output

[LDAPSrvr]# ldapsearch -D "cn=Manager,dc=domain,dc=com" -w <LDAPpasswd> -b "ou=People,dc=domain,dc=com" '(&(uid=*)(pwdChangedTime>=3024000))'
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=domain,dc=com> with scope subtree
# filter: (&(uid=*)(pwdChangedTime>=3024000))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1


This may be because i do not have "pwdChangedTime" parameter in my password policy.My current password policy is as belw.

[root@LDAPSrvr LDAPfiles]# cat passwordpolicy.ldif
dn: cn=default,ou=policies,dc=domain,dc=com
cn: default
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 3024000
pwdExpireWarning: 1814400
pwdInHistory: 4
pwdCheckQuality: 1
pwdMinLength: 9
pwdMaxFailure: 4
pwdLockout: TRUE
pwdLockoutDuration: 600
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE


Do i need to add "pwdChangedTime" parameter to this policy.And if yes,please let me know how

For Point 2,I have executed below command on LDAP server

[root@LDAPSrvr LDAPfiles]# ldappasswd -D "cn=Manager,dc=domain,dc=com" -w <LDAPpasswd> "uid=ldapuser1,ou=People,dc=domain,dc=com"
New password: lV4cDWqc


when i am logging in LDAP client with password as " lV4cDWqc" ,it is still giving me error message as ""Server unexpectly closed Network connection"

Please find logs below

Dec 14 19:51:18 LDAPClient unix_chkpwd[39254]: password check failed for user (ldapuser1)
Dec 14 19:51:18 LDAPClient sshd[39239]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.148.75 user=ldapuser1
Dec 14 19:51:18 LDAPClient sshd[39239]: pam_unix(sshd:account): account ldapuser1 has expired (failed to change password)
Dec 14 19:51:18 LDAPClient sshd[39239]: pam_ldap(sshd:account): password expired 182 days ago, account locked 152 days ago; user=ldapuser1
Dec 14 19:51:18 LDAPClient sshd[39239]: Failed password for ldapuser1 from 10.21.148.75 port 52546 ssh2
Dec 14 19:51:18 LDAPClient sshd[39239]: fatal: Access denied for user ldapuser1 by PAM account configuration [preauth]


Kindly help

1.This attribute is auto-created when the user changes his password.
Since I don't use ppolicy, I had to read that the format is: YYYYMMDDhhmmssZ, so I guess you have to write a script that do the math to find which accounts are about or have expired. You may try this, or adapt it to your needs.


2.
Then read case 2 here.

Thanks for the reply!!!

For Point no 2,do i have to add "pwdReset" attribute in ppolicy???is that correct???

if yes please share link for updating password policy and what will be "pwdReset" value in ppolicy true or false.???

According to the link above you need to set the pwdReset value to TRUE, so use ldapmodify with the next ldif file:

Thanks for the reply!!!

I have successfully added "pwdReset" attribute on ldap user "ldapuser1".Please find below command.


# ldapsearch -x -D cn=Manager,dc=domain,dc=com -w <LDAP_password> -b "ou=People,dc=domain,dc=com" -s sub -h `hostname` pwdReset

# extended LDIF
#
# LDAPv3
# base <ou=People,dc=domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: pwdReset
#

# People, domain.com
dn: ou=People,dc=domain,dc=com

# ldapuser1, People, domain.com
dn: uid=ldapuser1,ou=People,dc=domain,dc=com
pwdReset: TRUE


Kindly let me know what next i have to do to resolve the issue.

Huh, I guess that since pwdReset is TRUE, next time the user tries to login, he will be prompted to change his password.

when i login with that user,after entering password it is giving me error as ""Server unexpectly closed Network connection"

These are strictly-speaking attributes of the LDAP dictionary-entry so be sure that you spell them exactly as required by whatever piece of system software will be referencing it.

Are you sure the password is correct? Perhaps you have exceeded the max times of failed logins.
Anyway check the server logs (probably /var/log/secure) to get some hints

I am giving correct password.Please find log file as attachment at the time of incident(when i logged in to ldap client and got error message)

Please note :I can successfully login to ldap client using "su".


[<LDAP_client]# su - ldapuser1
Creating home directory for ldapuser1.
Last login: Wed Dec 13 20:23:53 IST 2017 on pts/1
Last failed login: Thu Dec 21 13:18:18 IST 2017 from 10.21.148.75 on ssh:notty
There were 51 failed login attempts since the last successful login.

Attached Files

logs_login_expired_linuxquestion.txt (8.5 KB, 82 views)

As I've told you I don't use ppolicy. Also I'm running Slackware that is PAM-free, so I cannot help you further.

But since you can use su to the user in question, run "passwd" to try to change his password and see what you get.