I have successfully configured OpenLDAP Server in rhel7.2.I have also implemented password policy as per URL https://access.redhat.com/solutions/2710021.
LDAP client server authentication is working fine.
I want whenever any LDAP user logs in to LDAP client,it should show how many days are left before password expiration(like we normally gets when a user logs into a machine)
For the same I have modified my ldap password policy by "ldapmodify" command with "pwdExpireWarning" to 24 days.
When a user logs in to LDAP client,ldap user simply gets logged in with no message at loggin prompt.
code:
[root@LDAP Server]# ldapsearch -x -b cn=default,ou=policies,dc=domain,dc=com -H ldap://LDAP Server.domain.com
# extended LDIF
#
# LDAPv3
# base <cn=default,ou=policies,dc=domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# default, policies, domain.com
dn: cn=default,ou=policies,dc=domain,dc=com
cn: default
objectClass: pwdPolicy
objectClass: device
objectClass: top
pwdAttribute: userPassword
pwdMaxAge: 2592000
pwdInHistory: 4
pwdMinLength: 14
pwdMaxFailure: 3
pwdLockout: TRUE
pwdGraceAuthNLimit: 0
pwdFailureCountInterval: 0
pwdMustChange: TRUE
pwdAllowUserChange: TRUE
pwdSafeModify: FALSE
pwdLockoutDuration: 1800
pwdExpireWarning: 2073600
pwdCheckQuality: 2
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
When i logged in LDAP client:
[LDAP client]# su - ldapusr1
Last login: <Date> pts/0
[LDAP client]$
Please suggest.
Best Answer
This is likely because when a non-LDAP user logs in, it's the shadow attributes in the
/etc/shadowfile that control password expiry, whereas for an LDAP user the ppolicy overlay doesn't provide the same attributes.You can apply the
shadowAccountobject class to each user and then provide those same attributes as found in the normal/etc/shadowfile however you will have to maintain those manually, they won't be updated by the ppolicy overlay.