LDAP password policies and multiple group memberships
Here I am a few days down the line after getting netgroups working with LDAP (in my previous thread - http://forum.java.sun.com/thread.jspa?threadID=5172061 ), and I've stumbled on my next couple of hurdles.
ISSUE NUMBER 1
First of all, I cannot seem to get my LDAP clients to use the password policies which I have set on the LDAP server. I am assuming it has something to do with either pam.conf configuration, ldap_client_file configuration, or a combination of both.
I'll put as much detail as I can in below, and hopefully someone can help me figure this out.
It's worth pointing out that I am not completely familiar with how PAM works, so I've been trying "best guess" approach based on my google search results.... I would RTFM, but the appropriate documentation appears to be either cryptic, or non-existent.
So - My ldap_client_file contains:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= <ldap servers addresses>
NS_LDAP_SEARCH_BASEDN= <appropriate dc entries>
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 0
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,<appropriate dc entries>
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,<appropriate dc entries>
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=Groups,<appropriate dc entries>
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=Groups,<appropriate dc entries>
NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=Sudoers,<appropriate dc entries>
#
And my pam.conf file currently looks like:
loginauth optionalpam_authtok_get.so.1
loginauth optionalpam_dhkeys.so.1
loginauth sufficient pam_unix_cred.so.1
loginauth sufficient pam_unix_auth.so.1
loginauth optionalpam_dial_auth.so.1
loginauth requiredpam_ldap.so.1 try_first_pass
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth requiredpam_dhkeys.so.1
rlogin auth requiredpam_unix_cred.so.1
rlogin auth requiredpam_unix_auth.so.1
#
krlogin auth requiredpam_unix_cred.so.1
krlogin auth bindingpam_krb5.so.1
krlogin auth requiredpam_unix_auth.so.1
#
rshauth sufficient pam_rhosts_auth.so.1
rshauth requiredpam_unix_cred.so.1
#
krshauth requiredpam_unix_cred.so.1
krshauth bindingpam_krb5.so.1
krshauth requiredpam_unix_auth.so.1
#
ktelnet auth requiredpam_unix_cred.so.1
ktelnet auth bindingpam_krb5.so.1
ktelnet auth requiredpam_unix_auth.so.1
#
pppauth requisite pam_authtok_get.so.1
pppauth requiredpam_dhkeys.so.1
pppauth requiredpam_unix_cred.so.1
pppauth requiredpam_unix_auth.so.1
pppauth requiredpam_dial_auth.so.1
#
otherauth requisite pam_authtok_get.so.1
otherauth requiredpam_dhkeys.so.1
otherauth requiredpam_unix_cred.so.1
otherauth requiredpam_unix_auth.so.1
#
passwd auth sufficient pam_passwd_auth.so.1
passwd auth requiredpam_ldap.so.1 try_first_pass
#
cronaccount requiredpam_unix_account.so.1
#
#
otheraccount requisitepam_roles.so.1
otheraccount requiredpam_unix_account.so.1
#
othersession requiredpam_unix_session.so.1
#
otherpassword requiredpam_dhkeys.so.1
otherpassword requiredpam_authtok_get.so.1
otherpassword requiredpam_authtok_check.so.1
otherpassword sufficientpam_authtok_store.so.1
otherpassword requiredpam_ldap.so.1
I've set the Global password policy on our LDAP server to be:
Allow users to change their passwords (true)
Password storage scheme: Unix crypt
Min password length: 10 characters
Strong check:
1 uppercase
1 numerical
1 special
And I've applied it to our suffix.
When I try to change the password, I get:
dmacpherson@aunswh007 # passwd -r ldap dmacpherson
Enter existing login password:
New Password: XXXXXXXXXX
Re-enternew Password: XXXXXXXXXXX
Permission denied
dmacpherson@aunswh007 #
But if I try to enter a 3 digit password, I am told that the password policy is set to 6 digits - not 10, as per the LDAP Global policy... Therefore, I think I'm misconfigured somewhere:
dmacpherson@aunswh007 # passwd -r ldap dmacpherson
Enter existing login password: XXX
New Password: XXX
passwd: Password tooshort - must be at least 6 characters.
Pleasetry again
Any ideas?
ISSUE NUMBER 2
For each of my LDAP posixAccounts, I want to be able to allocate group memberships of more than one group - i.e. a primary, and some secondaries, as in standard unix.
Whenever I try to add another gidNumber, this does not work!
Any ideas here?
Thanks!
Message was edited by:
Dougiesic
