[Ltb-users] Password policy not preventing ssh login after password expires

Clément OUDOT clem.oudot at gmail.com
Sat May 5 15:08:03 CEST 2012


2012/5/4 William Muriithi <william.muriithi at gmail.com>:
> Hello

Hello,

>
> I have openLDAP 2.4.21 running and configured to age password after 90
> days.  I just implemented ppolicy but the all the users were in place
> before before password policy were implemented.

First, 2.4.21 is quite old. You can download RPMs for 2.4.31 here:
http://ltb-project.org/wiki/download#openldap

> From the logs, it look like the slapd is aware it should be aging the
> passwords, but it does not force the user to change the password when
> the password is older than 90 days. Is it possible to enforce password
> for users who were created before ppolicy was setup?  Is it necessary
> to run ldapmodify against all exisitng users and add some attributes
> related to ppolicy?

Yes it is, but most of these attributes cannot be written with
ldapmodify, as they are operational. You could try to set pwdReset to
TRUE in all entries, that should force user to change their password
at next connection. But this flag must be handle by the software that
does the LDAP authentication. For example LemonLDAP::NG manage this
flag (http://lemonldap-ng.org)

>
> Below is the a debug log on a single session.  Does anyone notice
> anything I could have missed?  The line below does indicate that the
> password policy is at least identifying the aged password?
>
> May  4 09:53:42 ldap1 slapd[6534]: ppolicy_bind: Setting warning for
> password expiry for uid=user1,ou=people,dc=example,dc=local = 0
> seconds
>

It just says it sends a warning : your password will expire in 0
seconds. What you seem to say is that the password is not expired?
This is maybe a bug, so try to update your version.

Last thing, if your problem is not related to the packaging, it would
be better to ask your question directly on OpenLDAP mailing lists.


Clément.


More information about the ltb-users mailing list