Wednesday, June 15, 2016

[389-users] Re: Managing user password policy problem

I found more information today.

Frist -

I found https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/account-usability.html, so I have added aci to the oid.

dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
changetype: modify
add: aci
aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; allow (read, search, compare, proxy)(groupdn = "ldap:///cn=groupname,ou=group,dc=christianbook,dc=com");)

Next -

I can set my password from 389 console. Once it's set, the passwordexpiration becomes '1970...', which means it is expired.

Then if I do bind using myself from client:

ldapsearch -x -Z -D "uid=xinhuan,ou=people,dc=christianbook,dc=com" -W - -b 'dc=christianbook,dc=com' pwdpolicysubentry

Below is the response:

# search result
search: 3
result: 53 Server is unwilling to perform
control: 2.16.840.1.113730.3.4.4 false MA==

It appears ldapsearch sees my password has expired so server unwilling to respond. However, I can proceed login using ssh, despite the /var/log/secure message as mentioned before:

Jun 15 12:11:48 dclientdev1 sshd[7894]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=xinhuan
Jun 15 12:11:48 dclientdev1 sshd[7894]: pam_sss(sshd:auth): received for user xinhuan: 12 (Authentication token is no longer valid; new one required) <---- pam_sss(sshd:auth) got password invalid response from directory server already
Jun 15 12:11:48 dclientdev1 sshd[7894]: Accepted password for xinhuan from ::1 port 41588 ssh2 <---- proceed login

Next -

I change passwordMaxAge to 1 in policy. Once I login, I use 'passwd' command to change my password:

$ passwd
Changing password for user xinhuan.
Current Password:
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Since the passwordMaxAge is set to 1, the next time when I login, I got prompt:

Your password has expired. You have 2 grace login(s) remaining.

below is from /var/log/secure:

Jun 15 12:28:07 dclientdev1 sshd[8000]: pam_sss(sshd:auth): User info message: Your password has expired. You have 2 grace login(s) remaining.
Jun 15 12:28:07 dclientdev1 sshd[8000]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=xinhuan

After consuming all grace login(s), I am able to login using the expired password. Still /var/log/secure will show up it's expired password but I can login.
--
389-users mailing list
389-users@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)