On Tuesday, 22 December 2009 23:25:21 Joe Friedeggs wrote: > I am working (with RH via Dell support) to solve an issue (that I believe > to be a pam_ldap issue). The problem is that the password policy control > messaging does not occur when I set 'pam_password md5', thus the Linux > client never knows that the password expires.
Works fine here with pam_ldap 183 and: pam_password exop pam_lookup_policy yes (Well, I would really prefer if pam_ldap prompted to change the password while there are still grace logins left, instead of waiting until they are all used ... I'll file a bug on that). > They have informed me that the password policy overlay in LDAP requires > clear-text passwords, and will not handle the password policy stuff if the > password is hashed. This makes no sense to me, since ppolicy is only > handling expiry times, etc. and pam is handling the rest (length, > strength, etc., prior to hash). > > Does the ppolicy overlay require clear-text? Only if you want it to enforce password quality, but then you should use pam_password exop, or set 'ppolicy_hash_cleartext yes' in slapd.conf so that cleartext passwords are hashed on the server. Regards, Buchan