Re: No more logins after upgrade to deb 5.0
I have got an UPDATE for this Topic:
Using Debian 4.0, in a LDAP/ppolicy Client/Server configuration for
authentication i have been still able to login to a console or via ssh
with an useraccount whos ldap password has been expired. well.. on your
next login you have been forced to change/update your password, but you
have not been locked out. this behaviour has been Independent of any
"grace login" configurations. in fact, there has been no important
difference if you have set your grace logins to 3 or 0 - the only thing
back there in debian 4.0 was that with a grace login of 3 you had +3
more login chances before you are "forced" to change your password. so..
in short... under debian 4.0 the grace login feature of openldap /
ppolicy had no real usefull effect as long your "ldap client app" makes
use of.
Now with Debian 5.0 something at "some ldap component" had changed. i
cannot say if its pam_ldap , ppolicy or openldap itself. but something
there now behaves different now and requires a small configuration change!
The Keyword is "grace logins" or the "pwdGraceAuthNLimit" attribute in
your password policy object in your LDAP DIT. While in debian 4 this
parameter doesnt realy matters in debian 5.0 it can be vital! because
NOW some ldap component (package) makes real use of this
parameter/service and if this parameter is set to 0 ( ZERO) and your
ldap-users passwords expire they become completly LOCKED OUT of your
systems.
So make sure you set this parameter to at least 1 - so your users get at
least ONE chance to change their password "after" it is expired.
btw.. if a users password is expired and until he did not used alls his
grace logins he can still login, BUT still there wont be any warning or
message that his password is expired and how much grace logins are left
for the user. so it seems you have to handle all that by yourself!
i realy hope my little report here will save some time for someone out
there.
regards
Axel
Reply to: