Hi All, Right after I have sent this email, I was able to determinate the problem. Unfortunately was a ACI set on the SUN One Directory Server, which prevented my proxyusr from reading shadowlastchange and shadowmax.
After fixing the given ACI, everything is now working as expected! Thanks anyway and have a nice day, evening or night! Cheers, Simon > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Simon Reber > Sent: Tuesday, November 16, 2010 4:53 PM > To: [email protected] > Subject: [rhelv5-list] Authenticating against Sun One Directory > > Hi all, > > We are currently migrating all our RHEL 5 Linux Servers to a central Sun > One Directory Server (LDAP) > So far everything works well (we are using compat mode to restrict > access) > > But now after a while, we ran into a problem when using ssh with key > based authentication. > With the setup we are using, the system can calculate the password age > by looking at shadowLastChange and shadowMax attribute, both available > in LDAP. > > When the password is expired, the users gets a prompt during login, > telling him to change the password immediately. > But if the users uses key based authentication, the warning is not > displayed and the user can login without having to change the password. > > As from my understanding, this should be handeld by pam - but > unfortunately doesn't this work as expected. > My Configuration of the client looks as follow: > > # cat /etc/ldap.conf > base dc=internal,dc=ch > binddn uid=proxyusr,dc=internal,dc=ch > bindpw <password> > port 389 > scope sub > timelimit 120 > bind_timelimit 120 > bind_policy soft > idle_timelimit 3600 > pam_filter objectclass=posixaccount > pam_login_attribute uid > pam_password clear > pam_password_prohibit_message Please visit http://internal to change > your password. > nss_base_passwd ou=People,dc=internal,dc=ch?one > nss_base_shadow ou=People,dc=internal,dc=ch?one > nss_base_group ou=Groups,dc=internal,dc=ch?one > nss_base_netgroup ou=Netgroup,dc=internal,dc=ch?sub > nss_initgroups_ignoreusers > root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,n > scd,gdm > uri ldap://<LDAP Server>/ > ssl no > tls_cacertdir /etc/openldap/cacerts > pam_password md5 > debug 0 > > > # cat /etc/nsswitch.conf > passwd: compat > shadow: compat > group: compat > passwd_compat: ldap > shadow_compat: ldap > group_compat: ldap > hosts: files dns > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files > netgroup: ldap > publickey: nisplus > automount: files ldap > aliases: files nisplus > > > # cat /etc/pam.d/system-auth > auth required pam_env.so debug > auth sufficient pam_unix.so nullok try_first_pass debug > auth requisite pam_succeed_if.so uid >= 500 quiet debug > auth sufficient pam_ldap.so use_first_pass debug > auth required pam_deny.so debug > account sufficient pam_succeed_if.so uid < 500 quiet debug > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > debug > account required pam_unix.so broken_shadow debug > password requisite pam_cracklib.so try_first_pass retry=3 debug > password sufficient pam_unix.so md5 shadow nullok try_first_pass > use_authtok debug > password sufficient pam_ldap.so use_authtok debug > password required pam_deny.so debug > session required pam_limits.so debug > session required pam_unix.so debug > session optional pam_ldap.so debug > > > # cat /etc/ssh/sshd_config > Port 22 > Protocol 2 > ListenAddress <address> > HostKey /etc/ssh/ssh_host_dsa_key > SyslogFacility AUTHPRIV > LogLevel DEBUG > PubkeyAuthentication yes > AuthorizedKeysFile .ssh/authorized_keys > RhostsRSAAuthentication no > HostbasedAuthentication no > IgnoreRhosts yes > PasswordAuthentication yes > ChallengeResponseAuthentication no > GSSAPIAuthentication yes > GSSAPICleanupCredentials yes > UsePAM yes > AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY > LC_MESSAGES > AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT > AcceptEnv LC_IDENTIFICATION LC_ALL > X11Forwarding yes > Subsystem sftp /usr/libexec/openssh/sftp-server > > > I'd really appreciate if somebody could help me out with this, as I have > tried almost everthing - debug mode from sshd only tells me that when > using key based authentication the password is not expired, but if no > key is used, the system promps immediately the password change message. > > Thanks and all the best, > Simon > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
