[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: No more logins after upgrade to deb 5.0

I have got an UPDATE for this Topic:

Using Debian 4.0, in a LDAP/ppolicy Client/Server configuration for authentication i have been still able to login to a console or via ssh with an useraccount whos ldap password has been expired. well.. on your next login you have been forced to change/update your password, but you have not been locked out. this behaviour has been Independent of any "grace login" configurations. in fact, there has been no important difference if you have set your grace logins to 3 or 0 - the only thing back there in debian 4.0 was that with a grace login of 3 you had +3 more login chances before you are "forced" to change your password. so.. in short... under debian 4.0 the grace login feature of openldap / ppolicy had no real usefull effect as long your "ldap client app" makes use of.

Now with Debian 5.0 something at "some ldap component" had changed. i cannot say if its pam_ldap , ppolicy or openldap itself. but something there now behaves different now and requires a small configuration change!

The Keyword is "grace logins" or the "pwdGraceAuthNLimit" attribute in your password policy object in your LDAP DIT. While in debian 4 this parameter doesnt realy matters in debian 5.0 it can be vital! because NOW some ldap component (package) makes real use of this parameter/service and if this parameter is set to 0 ( ZERO) and your ldap-users passwords expire they become completly LOCKED OUT of your systems. So make sure you set this parameter to at least 1 - so your users get at least ONE chance to change their password "after" it is expired.

btw.. if a users password is expired and until he did not used alls his grace logins he can still login, BUT still there wont be any warning or message that his password is expired and how much grace logins are left for the user. so it seems you have to handle all that by yourself!

i realy hope my little report here will save some time for someone out there.

Reply to: