Solaris 8 not giving password expire warning with ldap?

Solaris 8 not giving password expire warning with ldap?

Post by Cade » Fri, 13 Feb 2004 01:57:01



I am using Solaris 8 with Sun ONE Directory Server 5.2 and I am
noticing some issues that I don't know if it is a bug or a
misconfiguration.

I have Solaris 8 secured ldap clients using tls:simple auth method to
Sun ONE DS 5.2.  I converted from using NIS to LDAP - quite a chore.
Everyting authenticates fine (if I use crypt encryption for
passwords).
Telnet, rsh, ssh (breaks if anything other than crypt), ftp - all
work.

The issue is that I do not get a warning that the password will expire
and you need a new one, or the password is expired (not sure if there
is supposed to be a warning), or warn that the password is reset and
needs a new one.

I have the backport patch at level: 108993-31

Here is my pam.conf (for the two mechs that pam_ldap works for in
Sol8):
passwd  auth sufficient         pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1 use_first_pass
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth sufficient         pam_unix_auth.so.1
login   auth required           pam_ldap.so.1 use_first_pass
login   auth required           pam_dial_auth.so.1
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth sufficient         pam_unix_auth.so.1
rlogin   auth required           pam_ldap.so.1 use_first_pass
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth sufficient         pam_unix_auth.so.1
rsh  auth required           pam_ldap.so.1 use_first_pass
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_unix_auth.so.1
other   auth required           pam_ldap.so.1 use_first_pass

Also since I am specifiying "use_first_pass" on the pam_ldap lines why
does it ask for LDAP Password if the first one I use isn't right?
It should just use the first one like the man page says and not ask -
users get confused with this prompt as LDAP is new to them.

Is there anything I can do to get the warnings as I want users to
change passwords and I don't want to have to reset 200+ passwords in 3
months?

Thanks
Cade

 
 
 

1. How can I get warned when an individual user's password is going to expired?

Hi, All,

          As a system administrator, is there a  way I can  check:
1.   The  password expire date for an individual user
2.   or the date of  Last_time that user changed his password
3.   or  a  message/log  that indicates an  users account will be
expired within few days.

    We are running Tacacs on AIX 4.2. Some users never got  "password
expire warning message" when their password expire  because they are not
regularly log onto AIX system.  These are router users,  their router
password are controlled by Tacacs and is linked to /etc/passwd file in
my AIX system.
    Thanks.
                                Parker

2. Test Your Network Free for Two Weeks

3. ftp to Sun Ultra gives "password expired" error msg

4. modularization of setup_arch in 2.5.7

5. compiling PHP on Solaris with LDAP, but not SUN ldap

6. Help on Installing gcc-2.7.2

7. Pre expire password working in telnet not ssh

8. WinFast S680 tv-out

9. Passwords that do not expire

10. password expired, solaris 2.5.1 and NIS+

11. A Solaris beauty (Re: Expiring password)

12. "Warning: Pasting would not give a valid pre-processing token"

13. Reset of the Solaris 9 ldap admin password