Claudio Di Nardo | 28 Sep 14:41 2011
Picon

Re: dirsrv, SSH and forcing password change at first login

Hi Joe,

thanks for your reply. I tried your work-around, but unfortunately nothing changes. In fact, I still can't get the user to be asked to change his password after the first successful login. I also took a look at the entire ldap.conf file, looking for potentially interested directives, (as pam_lookup_policy for example), but everything seems OK.
Furthermore, I checked the status of the authentication settings on the client with authconfig --test

------------------------------------------------------------------------------------------------------------------------

nss_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldaps://xxx.xxx.xxx.xxx/ldaps://xxx.xxx.xxx.xxx/"
 LDAP base DN = "dc=xxx,dc=xxx"

------------------------------------------------------------------------------------------------------------------------

As you can see, for the authentication sub-system LDAP+TLS is DISABLED. But I can assure you that LDAP servers only listen on 636 and that LDAP tools queries, (ldapmodify, ldapsearch...), only take place if a certificates database is present, as well as LDAP authentication over SSH only take place if the .pem certificate is presente in /etc/openldap/cacerts :)
My hypothesis now is: as you may know, passwords and encrypted communications are strictly tied between them, (e.g. Error 53: DSA is unwilling to perform. LDAP server refuses to change passwords if a minimum level of security is not assured). The fact that for NSS/PAM there's no TLS in communications with LDAP server - even if, in fact, there IS - could maybe result in this strange behavior?
I experienced anyway, during the installation and configuration, that the tool authconfig must be a little buggy, and sometimes feeding it with CORRECT informations at configuration time will result at the end in wrong settings to the PAM/NSS subsystems. So i always prefer to manually edit the files instead of use this tool.
I'll try to change some settings in this tool to make it work and to make it recognize that TLS is enabled and keep you updated.
For now, thanks anyway :)

Claudio

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Claudio Di Nardo | 29 Sep 15:54 2011
Picon

Re: dirsrv, SSH and forcing password change at first login

Hi all, (and hi Joe :P),

I finally got it working!
Setting password policy on a subtree or on a particular user is not enough to make it active: you have to enable that even on cn=config of your LDAP tree.
In particular, in my configuration I have set those parameters on cn=config

----------------------------------------------------------
passwordCheckSyntax: on
passwordExp: on
passwordInHistory: 10
passwordisglobalpolicy: off
passwordLockout: on
passwordStorageScheme: SHA512
passwordMustChange: on
----------------------------------------------------------

Then, I leave to each "per sub-tree" or "per user" setting the duty to set all others in-deep policies, (e.g.: min password length 8 chars, min alpha chars, min digits, min caps...), which are requested.
Plus, I updated the nss_ldap package to the latest release: apparently, in fact, RHEL 5.4 default package of nss_ldap suffers of a bug in passwords expiring, as explained here - http://rhn.redhat.com/errata/RHBA-2011-0097.html.
Now I got correctly those messages

user <at> ldap-client:[/root]# ssh ldap-user <at> ldap-client
Password:
Your LDAP password will expire in 1 hour.
Last login: Thu Sep 29 15:21:58 2011 from xxx.xxx.xxx.xxx

Remote kickstart on 2011-03-07

ldap-user <at> ldap-client:[/home/ldap-user]#

as well as

user <at> ldap-client:[/root]# ssh ldap-user <at> ldap-client
Password:
You are required to change your LDAP password immediately.
Enter login(LDAP) password:

Hope this could be useful for others.
Cheers! :)

Claudio

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Joe Friedeggs | 29 Sep 22:29 2011
Picon

RE: dirsrv, SSH and forcing password change at first login

Out of curiosity, is it working with md5?

In /etc/ldap.conf: pam_password md5 pam_lookup_policy yes  
Thanks,
Joe

Date: Thu, 29 Sep 2011 15:54:01 +0200
Subject: Re: dirsrv, SSH and forcing password change at first login
From: claudio.di.nardo <at> gmail.com
To: pam-list <at> redhat.com

Hi all, (and hi Joe :P),

I finally got it working!
Setting password policy on a subtree or on a particular user is not enough to make it active: you have to enable that even on cn=config of your LDAP tree.
In particular, in my configuration I have set those parameters on cn=config

----------------------------------------------------------
passwordCheckSyntax: on
passwordExp: on
passwordInHistory: 10
passwordisglobalpolicy: off
passwordLockout: on
passwordStorageScheme: SHA512
passwordMustChange: on
----------------------------------------------------------

Then, I leave to each "per sub-tree" or "per user" setting the duty to set all others in-deep policies, (e.g.: min password length 8 chars, min alpha chars, min digits, min caps...), which are requested.
Plus, I updated the nss_ldap package to the latest release: apparently, in fact, RHEL 5.4 default package of nss_ldap suffers of a bug in passwords expiring, as explained here - http://rhn.redhat.com/errata/RHBA-2011-0097.html.
Now I got correctly those messages

user <at> ldap-client:[/root]# ssh ldap-user <at> ldap-client
Password:
Your LDAP password will expire in 1 hour.
Last login: Thu Sep 29 15:21:58 2011 from xxx.xxx.xxx.xxx

Remote kickstart on 2011-03-07

ldap-user <at> ldap-client:[/home/ldap-user]#

as well as

user <at> ldap-client:[/root]# ssh ldap-user <at> ldap-client
Password:
You are required to change your LDAP password immediately.
Enter login(LDAP) password:

Hope this could be useful for others.
Cheers! :)

Claudio

_______________________________________________ Pam-list mailing list Pam-list <at> redhat.com https://www.redhat.com/mailman/listinfo/pam-list
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Claudio Di Nardo | 30 Sep 00:02 2011
Picon

Re: dirsrv, SSH and forcing password change at first login

Hi Joe,


yes. It worked with MD5. Then I switched to SHA512 to increase security, and no problems. You can even set the password scheme on a per-user base. At that point the encryption scheme is transparent to PAM and NSS.

Claudio
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list

Gmane