Ldap – ppolicy with pam_ldap – pwdReset has no effect when logging in from Ubuntu

authenticationldapopenldappam-ldappassword-policy

We installed ppolicy overlay on our ldap server. Password policies work correctly for locking out user after X incorrect password attempts, but we can't enforce user to change his password.

When we set pwdReset=TRUE attribute for a user – user can login as usual from Ubuntu client machine.

Ldap server & client were setup according to Ubuntu howto: https://help.ubuntu.com/12.10/serverguide/openldap-server.html

Client machine uses pam_ldap

Configuration file /etc/ldap.conf has "pam_lookup_policy yes" line

But pwdReset attribute is ignored.

According to what I read on the internet pam_ldap should honor ppolicy and require user to change his password when pwdReset is set. But it doesn't work for us..

How to make ubuntu client honor pwdReset attribute?

Maybe I can turn on debug logging for pam_ldap? But I can't find how to do it…

Best Answer

You must make sure that pwdMustChange is set to TRUE on the user's effective password policy.

See the slapo-ppolicy manpage for more information.

Related Solutions

Ldap – OpenLDAP Password Expiration with pwdReset=TRUE

I don't see why a temporary password should expire? If the user never logs in then it shouldn't expire because the user needs to select the new one so he/she knows it.

According to this on the first access of a record by a user, the user will have to change it on first authentication http://linux.die.net/man/5/slapo-ppolicy

are you saying the user can ignore changing it when he first logs back in?

How to get openldap to honor pwdReset=TRUE

To see additional information from ppolicy, you have to request the extension explicitly.

For ldapsearch(1), ldapwhoami(1), and friends, you do that with -e ppolicy:

$ ldapwhoami -x -D uid=me,ou=users,dc=example,dc=org -W -e ppolicy -v
ldap_initialize( <DEFAULT> )
Enter LDAP Password: 
ldap_bind: Success (0); Password must be changed
dn:uid=me,ou=users,dc=example,dc=org
Result: Success (0)

For your application, it depends on the particular library you're using. The code for the C api, for example, is here. (I didn't find manpage for it, sorry.)

Best Answer

Related Solutions

Ldap – OpenLDAP Password Expiration with pwdReset=TRUE

How to get openldap to honor pwdReset=TRUE

Related Topic