Re: Password expiry warning message from ppolicy

Hello All,

I have been working on this puzzle for a while now. I have looked
through OpenLDAP, ppolicy overlay and pam_ldap codes and have come back
to pam_ldap for now.

To give a summary,

I have compiled OpenLDAP (2.3.29) with ppolicy overlay as a module and
back-hdb as static backend. I am loading the ppolicy module properly and
have pam_lookup_policy set to yes and ppolicy_default set to an
available entry in "ldap.conf". I have compiled pam_ldap (183).

When a user password expires, SSH client (with PAM's help) complains
saying:
"You are required to change your LDAP password immediately."

But when a user's pwdExpireWarning is up, I can see (using debug
messages) that OpenLDAP passes this information along to PAM. Also I can
see "_conv_sendmsg()" being called from _pam_sm_acct_mgmt with a message
similar to
"Your LDAP password will expire in %ld day%s."
But somehow this message never comes back to SSH client. Please note
that I do not have "no_warn" in /etc/pam.d/sshd.

Similarly, when I change password after it has expired, I can see from
LDAP's logs that the password information was successfully updated, but
this message does not come back to SSH client for some reason.

I have come to the conclusion that this must be something with the PAM
sshd configuration, but for the life of me I can't figure what it is. If
someone can help, I would really appreciate that. Here is my current
PAM/ssh configuration.

auth    sufficient      pam_ldap.so debug
auth    required        pam_env.so
auth    required        pam_unix2.so
auth     required       pam_nologin.so
account sufficient      pam_ldap.so debug
account required        pam_unix2.so
password        sufficient      pam_ldap.so debug
password required       pam_pwcheck.so  nullok
password required       pam_unix2.so    nullok use_first_pass
use_authtok
session sufficient      pam_ldap.so debug
session required        pam_limits.so
session required        pam_unix2.so

Thanks,
Prakash

>>> "Prakash Velayutham" <Prakash.Velayutham@...> 12/27/06 11:08
PM >>>
Hello All,

I have been working on this puzzle for a while now. I have looked
through OpenLDAP, ppolicy overlay and pam_ldap codes and have come back
to pam_ldap for now.

To give a summary,

I have compiled OpenLDAP (2.3.29) with ppolicy overlay as a module and
back-hdb as static backend. I am loading the ppolicy module properly and
have pam_lookup_policy set to yes and ppolicy_default set to an
available entry in "ldap.conf". I have compiled pam_ldap (183).

When a user password expires, SSH client (with PAM's help) complains
saying:
"You are required to change your LDAP password immediately."

But when a user's pwdExpireWarning is up, I can see (using debug
messages) that OpenLDAP passes this information along to PAM. Also I can
see "_conv_sendmsg()" being called from _pam_sm_acct_mgmt with a message
similar to
"Your LDAP password will expire in %ld day%s."
But somehow this message never comes back to SSH client. Please note
that I do not have "no_warn" in /etc/pam.d/sshd.

Similarly, when I change password after it has expired, I can see from
LDAP's logs that the password information was successfully updated, but
this message does not come back to SSH client for some reason.

I have come to the conclusion that this must be something with the PAM
sshd configuration, but for the life of me I can't figure what it is. If
someone can help, I would really appreciate that. Here is my current
PAM/ssh configuration.

auth    sufficient      pam_ldap.so debug
auth    required        pam_env.so
auth    required        pam_unix2.so
auth     required       pam_nologin.so
account sufficient      pam_ldap.so debug
account required        pam_unix2.so
password        sufficient      pam_ldap.so debug
password required       pam_pwcheck.so  nullok
password required       pam_unix2.so    nullok use_first_pass
use_authtok
session sufficient      pam_ldap.so debug
session required        pam_limits.so
session required        pam_unix2.so

Thanks,
Prakash

Hello All,

Wanted to give a heads up. I have found a solution to this one and it
was not pam_ldap. It was the OpenSSH on my system. I was running OpenSSH
4.1p1 and looks like this issue was fixed in 4.3p2 and higher. I got the
latest 4.5p2 and things are working now. I will test some more and
report back again soon.

Have a happy new year,
Prakash