Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
However it does not work for me till now. I need to know where does openldap stores information regarding password like "Last Password Change" so it can decide when to expire a password.
Do we still need to inherit the users from "ShadowAccount" object class ?
Also I need to make exception for some users and never expire their passwords.
So does this mean that things ARE working for you, and if so...why open this thread???
Quote:
I need to know where does openldap stores information regarding password like "Last Password Change" so it can decide when to expire a password. Do we still need to inherit the users from "ShadowAccount" object class ?
If you want some users to not expire, you create their own policy class and assign them to it. This is a VERY BAD IDEA..non-expiring passwords are INCREDIBLE security holes.
Things are not working for me and I am trying to find out why.
Let me ask my question another way, maybe that's my bad.
After applying the ppolicy overlay, is there any way to see the information regarding each user ? I mean similar numerical values that can be read from /etc/shadow. Can we obtain these values use any ldapsearch command ?
I am not sure if this password policy is completely server side or a client side configuration is required. (pam_lookup_policy yes is ldap.conf ?)
Things are not working for me and I am trying to find out why. Let me ask my question another way, maybe that's my bad.
After applying the ppolicy overlay, is there any way to see the information regarding each user ? I mean similar numerical values that can be read from /etc/shadow. Can we obtain these values use any ldapsearch command ?
You can list users in the policy group, or list complete user information, which will tell you what policy(s) apply to them. Read the man pages on the relevant LDAP commands.
Quote:
I am not sure if this password policy is completely server side or a client side configuration is required. (pam_lookup_policy yes is ldap.conf ?)
And back to "read the openLDAP documentation". You can set things up in a variety of ways. Which did you pick?
ppolicy is not being enforced when I use the 'passwd' command
Does ppolicy work only with the 'ldappasswd' command?
My ppolicy is being enforced when I use the 'ldappasswd' command but not when I use the 'passwd' command.
The 'passwd' command however connects to the LDAP server settings only. Its just that the policy is not enforced.
Quote:
I am not sure if this password policy is completely server side or a client side configuration is required. (pam_lookup_policy yes is ldap.conf ?)
Last edited by ramkrishnan; 07-06-2018 at 01:29 AM.
Does ppolicy work only with the 'ldappasswd' command?
My ppolicy is being enforced when I use the 'ldappasswd' command but not when I use the 'passwd' command. The 'passwd' command however connects to the LDAP server settings only. Its just that the policy is not enforced.
You need to read the LQ Rules and the "Question Guidelines"; you have:
Reopened a thread that had been closed for FOUR YEARS
Hijacked it with your own question
Not provided ANY useful details that would let us help you
Open your own thread for your own question, and when you do, provide the details (such as what you've done/tried, the version/distro of Linux, etc.). And did you read the man pages on the passwd command, and what it does? Mainly...it is for LOCAL accounts? If you're using LDAP, that's where things are set, obviously.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.