Hi Daniel, On Fri, Dec 11, 2009 at 12:17 AM, Daniel Pittman <[email protected]>wrote:
> Nima Talebi <[email protected]> writes: > > > Thanks for getting back to me so fast! Well, even if that's the case - I > > don't mind, but here's a little more depth into the problem... > > Ah. A different problem from what I thought, I suspect, making my answer > less > relevant. I thought it was a deliberately expired password. ;) > > > I can bind to the LDAP server as a user, and have that user issue a > change > > of password for themselves - and that works fine. > > > > I can do the same via the admin user too of course. > > > > Regardless of how I change the password, I still get: > > > > % ssh darius > > You are required to change your LDAP password immediately. > > Connection closed by 10.211.55.3 > > So, what does 'passwd -S' show for 'darius' on that machine? Specifically, > does it report something sensible for the status and age fields? > > Well, depends how I've configured nsswitch.conf, so I'll detail both scenarios... If nsswitch contains: #. No LDAP here! - PAM LDAP takes over at this point. The `pam_ldap' module #. from the libpam-ldap package logs into the LDAP server when checking #. passwords. The pure pam_ldap solution allows limiting logins by how users #. are stored in the directory (e.g. only allow logins for users in a certain #. piece of the directory, require some attribute, etc). It also requires less #. access rights to the LDAP directory and does not expose password hashes. shadow: compat ...then, I naturally get nothing interesting... darius:/var/log# passwd -S nima nima P darius:/var/log# If I however replace compat with ldap... darius:/var/log# passwd -S nima nima L 01/01/1970 -1 0 0 -1 darius:/var/log# At which point, the login problem changes to look like.... % ssh darius You are required to change your password immediately (root enforced) Linux darius 2.6.26-1-amd64 #1 SMP Sat Jan 10 17:57:00 UTC 2009 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. You have new mail. Last login: Wed Dec 9 06:08:23 2009 from datis *WARNING: Your password has expired. You must change your password now and login again! (pam) Please visit http://intranet.autonomy.net.au/ to change your password. passwd: Permission denied passwd: password unchanged Connection to darius closed.* % > Also, what does your /etc/pam.d/sshd file look like? I doubt it is > relevant, > but just in case... > Well it is a little relevant, here are the ones that matter... *UsePAM yes PasswordAuthentication yes ChallengeResponseAuthentication no #. PAM modules don't like "yes" here * ...as per the man page recommendations. > > Anyway, not a problem I have experienced. (The "can't change password" is, > but our LDAP / ssh / password auth stuff just works(tm), I fear.) > Do you use RHEL or Debian, or...? On our RHEL systems, it's much easier to manage, since redhat have consolidated libpam, libnss, and ldap client stuff all into /etc/ldap.conf; But on debian, there are 3 separate files. Nima > > Daniel > > -- > ✣ Daniel Pittman ✉ [email protected] ☎ +61 401 155 > 707 > ♽ made with 100 percent post-consumer electrons > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Nima Talebi web: http://ai.autonomy.net.au/People/Nima gpg: B51D 1F18 D8E2 B702 B027 23A4 E06B DAC1 BE70 ADC0 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
