On Friday, 3 September 2010 13:15:21 Dannie Obbink wrote: > -------- Forwarded Message -------- > > > From: Obbink, D. (Dannie) <[email protected]> > > To: [email protected] > > Subject: PAM not warning for password expiration > > Date: Thu, 22 Jul 2010 19:29:36 +0200 > > > > When users with an expired account try to log on to an application > > making a bind using the user's own credentials, everything works as > > expected; users cannot login, access gets denied. In the slapd > > logging, the following message is displayed: > > > > Jul 21 14:06:25 slapd2.4[27182]: ppolicy_bind: Entry uid=<user> has an > > expired password: 0 grace logins > > > > But when trying to log into PAM (ssh, su etc.), there is no warning > > displayed the account is expired. The user is also allowed to login > > normally. > > > > I've been Googling for a couple of days now, and can't really find the > > culprit. > > > > I was especially interested in this thread: > > http://www.openldap.org/lists/openldap-technical/201003/msg00197.html > > > > So, I've set pwdExpireWarning to 1 second less then pwdMaxAge. > > > > When I try to bind directly, such as with an ldapsearch, the logging > > shows > > > > Jul 22 15:31:56 slapd2.4[27182]: ppolicy_bind: Setting warning for > > password expiry for uid=<user> = 4318121 seconds > > > > So, that seems to be correct. > > But, when logging in via PAM, the log does not display the "setting > > warning". > > > > <SNIP> > > > > Thanks you for any responses, > > Dannie Obbink > > Hello list, > > Well, I finally found a workaround which "works for me"; use SSSD (found > in the EPEL repos for Redhat / Centos / Fedora and standard for RHEL6). > > SSSD, unlike pam_ldap, IS nice enough to warn me for impending password > expiry. > > I found multiple bugs about this (really helps if you know what to > search) such as https://bugzilla.redhat.com/show_bug.cgi?id=190256 and > http://bugs.centos.org/view.php?id=4468&nbn=5 > > I just wanted to share with you all that this definitely looks like a > pam_ldap bug.
No bug in pam_ldap, probably just a problem with your 'account' lines in your pam stack. For me, on RHEL4 and RHEL5 and Mandriva etc., pam_ldap warns appropriately for impending password expiry, and forces password changes after the password has expired. There have been a number of threads on this list, a few of which I have posted the solution. Regards, Buchan
