Basically we have to set two things in the client to get rid of these issues.
First in the file /etc/ldap.conf we uncomment the entry pam_lookup_policy yes.
Second is to change the order of the modules in the file /etc/pam.d/common-account. Specifically I mean the modules pam_unix.so and pam_ldap.so:
account [success=2 new_authtok_reqd=done default=ignore] pam_ldap.so account [success=1 default=ignore] pam_unix.so account requisite pam_deny.so account required pam_permit.soAnd this way the password changes are enforced and we get a notice about password expirations.
If you use Kerberos auth like I do you have one more thing to do. The file /etc/pam.d/common-auth looks like this:
auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.soThe bold part means that upon succesful Kerberos auth the next 3 modules are ignored - i.e. you get right to module pam_permit.so and that lets you in. This way the pam_ldap.so is not activated and you will not be noticed about the expiring password.
If you replace the 3 with a 1 then the good Kerberos password will mean that only the Unix auth can be skipped but not the LDAP auth. As the Kerberos and LDAP passwords are in sync and the module pam_ldap.so does not request a new password because of the option use_first_pass. So the user only gives her password once but the clients authenticates her twice. And this way we get our warning.
Cool!
If you use the overlay smbkrb5pwd for syncing the password you have one more issue regarding password policies. But I leave it for the next post.
Nincsenek megjegyzések:
Megjegyzés küldése