1

We installed ppolicy overlay on our ldap server. Password policies work correctly for locking out user after X incorrect password attempts, but we can't enforce user to change his password.

When we set pwdReset=TRUE attribute for a user - user can login as usual from Ubuntu client machine.

Ldap server & client were setup according to Ubuntu howto: https://help.ubuntu.com/12.10/serverguide/openldap-server.html

Client machine uses pam_ldap

Configuration file /etc/ldap.conf has "pam_lookup_policy yes" line

But pwdReset attribute is ignored.

According to what I read on the internet pam_ldap should honor ppolicy and require user to change his password when pwdReset is set. But it doesn't work for us..

How to make ubuntu client honor pwdReset attribute?

Maybe I can turn on debug logging for pam_ldap? But I can't find how to do it...

Dima L.
  • 121
  • 6

2 Answers2

2

You must make sure that pwdMustChange is set to TRUE on the user's effective password policy.

See the slapo-ppolicy manpage for more information.

slm
  • 7,355
  • 16
  • 54
  • 72
Vince
  • 164
  • 1
  • 5
2

I ran into this as well -- my particular problem was that while some third-party applications (Okta in our case) looks for pwdReset, the pam_ldap plugin does not.

After taking a look at the source code for pam_ldap as hosted here: https://github.com/wfhu/pam_ldap -- I've come to the conclusion that pam_ldap completely ignores pwdReset which is part of OpenLDAP's ppolicy.schema. You can find the schema that OpenLDAP uses here: http://www.zytrax.com/books/ldap/ape/ppolicy.html

NOTE: I believe the problem is that the OpenLDAP policy attributes are different from the original schema that (Netscape?/UniversityOfMichigan?/Sun?) LDAP server implementation used, which is what pam_ldap expects.

What does work correctly is the shadow* attributes that are part of the shadowAccount objectClass.

[Steps are for Ubuntu]

  1. Make sure that your user(s) have a password policy set in LDAP by checking pwdPolicySubentry:

    ldapsearch (...) -b dc=example,dc=org "(uid=testinguser)" pwdPolicySubentry

  2. Check your user's shadow* information

    slapcat -a uid=testinguser

  3. Set shadowLastChange to 0 to allow pam_ldap to recognise an expired password

    This could be done via a script that checks for pwdReset and updates shadowLastChange.

When this is setup PAM will correctly force a user to change their password on login.

See also: http://www.openldap.org/lists/openldap-technical/201210/msg00044.html

c4urself
  • 5,270
  • 3
  • 25
  • 39