When changing passwd, pam.conf is not using dsee6 for password policy

I have dsee 6.0 installed on a solaris 10 server (nznsfn60).

I have a solaris 9 server (nznsfn29) set up to use ldap authentication.

bash-2.05# cat /var/ldap/ldap_client_file

# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.

NS_LDAP_FILE_VERSION= 2.0

NS_LDAP_SERVERS= nznsfn60.zeus.ghsewn.com, nzlsfn60.zeus.ghsewn.com

NS_LDAP_SEARCH_BASEDN= dc=zeus,dc=ghsewn,dc=com

NS_LDAP_AUTH= tls:simple

NS_LDAP_SEARCH_REF= FALSE

NS_LDAP_SEARCH_SCOPE= one

NS_LDAP_SEARCH_TIME= 30

NS_LDAP_SERVER_PREF= nznsfn60.zeus.ghsewn.com, nzlsfn60.zeus.ghsewn.com

NS_LDAP_CACHETTL= 43200

NS_LDAP_PROFILE= tls_nelsonst_profile

NS_LDAP_CREDENTIAL_LEVEL= proxy

NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=zeus,dc=ghsewn,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=zeus,dc=ghsewn,dc=com?one

NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=zeus,dc=ghsewn,dc=com?one

NS_LDAP_BIND_TIME= 10

bash-2.05# cat /var/ldap/ldap_client_cred

# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.

NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=zeus,dc=ghsewn,dc=com

NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7

bash-2.05# cat /etc/nsswitch.conf

# /etc/nsswitch.ldap:

# An example file that could be copied over to /etc/nsswitch.conf; it

# uses LDAP in conjunction with files.

# "hosts:" and "services:" in this file are used only if the

# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.

passwd:files ldap

group:files ldap

# consult /etc "files" only if ldap is down.

hosts:files dns

ipnodes:files

# Uncomment the following line and comment out the above to resolve

# both IPv4 and IPv6 addresses from the ipnodes databases. Note that

# IPv4 addresses are searched in all of the ipnodes databases before

# searching the hosts databases. Before turning this option on, consult

# the Network Administration Guide for more details on using IPv6.

#ipnodes:ldap [NOTFOUND=return] files

networks:files

protocols: files

rpc:files

ethers:files

netmasks:files

bootparams: files

publickey: files

netgroup:ldap

automount: files ldap

aliases:files ldap

# for efficient getservbyname() avoid ldap

services:files ldap

sendmailvars:files

printers:user files ldap

auth_attr: files ldap

prof_attr: files ldap

project:files ldap

bash-2.05# cat /etc/pam.conf

#ident "@(#)pam.conf1.2002/01/23 SMI"

# Use is subject to license terms.

# PAM configuration

# Unless explicitly defined, all services use the modules

# defined in the "other" section.

# Modules are defined with relative pathnames, i.e., they are

# relative to /usr/lib/security/$ISA. Absolute path names, as

# present in this file in previous releases are still acceptable.

# Authentication management

# login service (explicit because of pam_dial_auth)

loginauth requisite pam_authtok_get.so.1 debug

loginauth requiredpam_dhkeys.so.1 debug

loginauth requiredpam_dial_auth.so.1 debug

loginauth bindingpam_unix_auth.so.1 server_policy debug

loginauth requiredpam_ldap.so.1 use_first_pass debug

# rlogin service (explicit because of pam_rhost_auth)

rlogin auth sufficient pam_rhosts_auth.so.1

rlogin auth requisite pam_authtok_get.so.1

rlogin auth requiredpam_dhkeys.so.1

rlogin auth bindingpam_unix_auth.so.1 server_policy

rlogin auth requiredpam_ldap.so.1 use_first_pass

# rsh service (explicit because of pam_rhost_auth,

# and pam_unix_auth for meaningful pam_setcred)

rshauth sufficient pam_rhosts_auth.so.1

rshauth requiredpam_unix_auth.so.1

# PPP service (explicit because of pam_dial_auth)

pppauth requisite pam_authtok_get.so.1

pppauth requiredpam_dhkeys.so.1

pppauth requiredpam_dial_auth.so.1

pppauth bindingpam_unix_auth.so.1 server_policy

pppauth requiredpam_ldap.so.1 use_first_pass

# Default definitions for Authentication management

# Used when service name is not explicitly mentioned for authenctication

otherauth requisite pam_authtok_get.so.1 debug

otherauth requiredpam_dhkeys.so.1 debug

otherauth bindingpam_unix_auth.so.1 server_policy debug

otherauth requiredpam_ldap.so.1 use_first_pass debug

# passwd command (explicit because of a different authentication module)

passwd auth bindingpam_passwd_auth.so.1 server_policy debug

passwd auth requiredpam_ldap.so.1 use_first_pass debug

# cron service (explicit because of non-usage of pam_roles.so.1)

cronaccount requiredpam_projects.so.1

cronaccount requiredpam_unix_account.so.1

# Default definition for Account management

# Used when service name is not explicitly mentioned for account management

otheraccount requisitepam_roles.so.1 debug

otheraccount requiredpam_projects.so.1 debug

otheraccount binding pam_unix_account.so.1 server_policy debug

otheraccount requiredpam_ldap.so.1 no_pass debug

# Default definition for Session management

# Used when service name is not explicitly mentioned for session management

othersession requiredpam_unix_session.so.1

# Default definition for Password management

# Used when service name is not explicitly mentioned for password management

otherpassword requiredpam_dhkeys.so.1 debug

otherpassword requisitepam_authtok_get.so.1 debug

otherpassword requisitepam_authtok_check.so.1 debug

otherpassword requiredpam_authtok_store.so.1 server_policy debug

# Support for Kerberos V5 authentication (uncomment to use Kerberos)

#rlogin auth optionalpam_krb5.so.1 try_first_pass

#login auth optionalpam_krb5.so.1 try_first_pass

#other auth optionalpam_krb5.so.1 try_first_pass

#cronaccount optionalpam_krb5.so.1

#other account optionalpam_krb5.so.1

#other session optionalpam_krb5.so.1

#other password optionalpam_krb5.so.1 try_first_pass

I can ssh into nznsfn29 with user vz07r1 which does not exist locally but exists in the directory server. This is from /var/adm/messages on nznsfn29 (the ldap client):

May 17 15:25:07 nznsfn29 sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0

May 17 15:25:11 nznsfn29 sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()

May 17 15:25:11 nznsfn29 sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd vz07r1), flags = 0

May 17 15:25:11 nznsfn29 sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = vz07r1 ruser = not set rhost = hlz1ir16.zeus.ghsewn.com

May 17 15:25:11 nznsfn29 sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()

May 17 15:25:11 nznsfn29 sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass

May 17 15:25:11 nznsfn29 sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(vz07r1), flags = 0

May 17 15:25:11 nznsfn29 sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for vz07r1 from 10.115.1.251 port 2703 ssh2

May 17 15:25:11 nznsfn29 sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.

May 17 15:25:11 nznsfn29 sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0

May 17 15:25:11 nznsfn29 sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:

May 17 15:25:11 nznsfn29 sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)

May 17 15:25:11 nznsfn29 sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved

May 17 15:25:11 nznsfn29 sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes

May 17 15:25:11 nznsfn29 sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set

May 17 15:25:11 nznsfn29 sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored

If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd

bash-2.05$ passwd

passwd: Changing password for vz07r1

Enter existing login password:

New Password:

passwd: Password too short - must be at least 8 characters.

Please try again

May 17 15:26:17 nznsfn29 passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd vz07r1), flags = 0

May 17 15:26:17 nznsfn29 passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = vz07r1 ruser = not set rhost = not set

May 17 15:26:17 nznsfn29 passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()

May 17 15:26:17 nznsfn29 passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass

May 17 15:26:17 nznsfn29 passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(vz07r1), flags = 80000000

May 17 15:26:17 nznsfn29 passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()

May 17 15:26:17 nznsfn29 passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK

May 17 15:26:20 nznsfn29 passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called

May 17 15:26:20 nznsfn29 passwd[27014]: [ID 271931 user.debug]pam_authtok_check: minimum length from /etc/default/passwd: 8

May 17 15:26:20 nznsfn29 passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()

May 17 15:26:20 nznsfn29 passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set

I am using the default policy on the directory server which states a minimum password length of 6 characters.

nznsfn60:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h nznsfn60 -p 389|grep ^pwd-

pwd-accept-hashed-pwd-enabled: N/A

pwd-check-enabled: off

pwd-compat-mode: DS6-mode

pwd-expire-no-warning-enabled: on

pwd-expire-warning-delay: 1d

pwd-failure-count-interval : 10m

pwd-grace-login-limit : disabled

pwd-keep-last-auth-time-enabled: off

pwd-lockout-duration: disabled

pwd-lockout-enabled: off

pwd-lockout-repl-priority-enabled : on

pwd-max-age: disabled

pwd-max-failure-count : 3

pwd-max-history-count : disabled

pwd-min-age: disabled

pwd-min-length : 6

pwd-mod-gen-length: 6

pwd-must-change-enabled: off

pwd-root-dn-bypass-enabled : off

pwd-safe-modify-enabled: off

pwd-storage-scheme: CRYPT

pwd-strong-check-dictionary-path: /opt/SUNWdsee/ds6/plugins/words-english-big.txt

pwd-strong-check-enabled: off

pwd-strong-check-require-charset: lower

pwd-strong-check-require-charset: upper

pwd-strong-check-require-charset: digit

pwd-strong-check-require-charset: special

pwd-supported-storage-scheme: CRYPT

pwd-supported-storage-scheme: SHA

pwd-supported-storage-scheme: SSHA

pwd-supported-storage-scheme: NS-MTA-MD5

pwd-supported-storage-scheme: CLEAR

pwd-user-change-enabled: off

Whereas /etc/default/passwd on the ldap client (nznsfn29) says passwords must be 8 characters. This is seen with thepam_authtok_check: minimum length from /etc/default/passwd: 8

. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.

I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?

[12743 byte] By [ericduggana] at [2007-11-27 5:18:40]

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

When changing passwd, pam.conf is not using dsee6 for password policy

Web & Directory Servers Hot Topic

Web & Directory Servers

All Classified