I have an environment set up with OpenLDAP, ppolicy and sssd on Ubuntu 12.04. I've got ppolicy working fine, for the most part, but I'm trying to set pwdReset: TRUE in LDAP to force users to change passwords and it's not having any effect. I have pwdMustChange: TRUE in the default password policy, and password prompts for expired passwords works, so I know it's not grossly misconfigured or something.
I've spent a few days looking into this and from other posts and blogs it sounds like pwdReset can be handled by sssd and is somehow enforced by pam, but I'm not seeing any error messages about pam or password resets (pam verbosity 3 and debug_level 9). With the lack of errors, I'm basically wondering what are the requirements to get pwdReset functioning with sssd?
Thanks.
On (25/08/16 20:44), xcorvis@gmail.com wrote:
I have an environment set up with OpenLDAP, ppolicy and sssd on Ubuntu 12.04. I've got ppolicy working fine, for the most part, but I'm trying to set pwdReset: TRUE in LDAP to force users to change passwords and it's not having any effect. I have pwdMustChange: TRUE in the default password policy, and password prompts for expired passwords works, so I know it's not grossly misconfigured or something.
I've spent a few days looking into this and from other posts and blogs it sounds like pwdReset can be handled by sssd and is somehow enforced by pam, but I'm not seeing any error messages about pam or password resets (pam verbosity 3 and debug_level 9). With the lack of errors, I'm basically wondering what are the requirements to get pwdReset functioning with sssd?
Ubuntu 12.04 seems to have sssd 1.8.2 The ppa[2] seems to have 1.11.5
It would be good to test with more recent version of sssd. You can try sssd in 16.04.
I can confirm that "pwdReset: TRUE" works with latest sssd 1.13 which is in xenial(16.04)
LS
[1] http://packages.ubuntu.com/search?keywords=sssd&searchon=names&suite... [2] https://launchpad.net/~sssd/+archive/ubuntu/updates
Thanks Lukas. I just tried on a test machine with 16.04 and sssd 1.13.4-1ubuntu1 and it's having the same problem. It does have identical sssd and pam configs as the 12.04 systems.
I'm not the first person to work on the pam files and I suspect between sssd, cracklib and other things we've managed to make something a little odd. Since this is a work system I'd rather not post all my configs publicly, would you be willing to share your working pam config?
Thanks.
On (25/08/16 21:29), xcorvis@gmail.com wrote:
Thanks Lukas. I just tried on a test machine with 16.04 and sssd 1.13.4-1ubuntu1 and it's having the same problem. It does have identical sssd and pam configs as the 12.04 systems.
I'm not the first person to work on the pam files and I suspect between sssd, cracklib and other things we've managed to make something a little odd. Since this is a work system I'd rather not post all my configs publicly, would you be willing to share your working pam config?
Could you provide * sssd.conf * and log files with "debug_level=9" after reproducing the issue
LS
Here's the config. I had to sanitize it.
[sssd] config_file_version = 2 services = nss, pam domains = domain1
[nss] filter_groups = root filter_users = root
[pam] pam_verbosity = 3
[domain/domain1] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = rfc2307 ldap_uri = ldaps://ldap1.domain1.com,ldaps://ldap2.domain1.com ldap_chpass_uri = ldaps://ldap1.domain1.com ldap_search_base = dc=domain1: enumerate = false cache_credentials = false ldap_tls_reqcert = hard min_id = 1000 debug_level=9
Logs here. I just grabbed the logs for the period during the login, not the sssd startup. http://pastebin.com/1hCx2UK3
Thanks!
On (29/08/16 20:26), xcorvis@gmail.com wrote:
Here's the config. I had to sanitize it.
[sssd] config_file_version = 2 services = nss, pam domains = domain1
[nss] filter_groups = root filter_users = root
[pam] pam_verbosity = 3
[domain/domain1] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = rfc2307 ldap_uri = ldaps://ldap1.domain1.com,ldaps://ldap2.domain1.com ldap_chpass_uri = ldaps://ldap1.domain1.com ldap_search_base = dc=domain1: enumerate = false cache_credentials = false ldap_tls_reqcert = hard min_id = 1000 debug_level=9
Logs here. I just grabbed the logs for the period during the login, not the sssd startup. http://pastebin.com/1hCx2UK3
I am so sorry. I little bit forgot to check log files and pastebin is expired. Could you provide new log files?
LS
sssd-users@lists.fedorahosted.org