Package: libpam-ldapd
Version: 0.9.4-3
Severity: normal

Dear Maintainer,

I'm using the OpenLDAP password policy overlay on my ldap-servers to implement
password expiration. The attribute pwdExpireWarning is set to 10 days.
While older versions of libpam-ldapd (in squeeze or wheezy) completely ignored
this setting, the new version in jessie now parses this information.
Unfortunately it doesn't only print a warning to the user when his password
is about to expire, but also prevents him from logging in, even if the password
has not expired yet!

This problem is already described in the nss-pam-ldapd-users mailinglist:
 http://lists.arthurdejong.org/nss-pam-ldapd-users/2015/msg00088.html

   * What led up to the situation?

Trying to log in in via ssh with ldap-account whose password is not yet expired,
 but will expire within pwdExpireWarning seconds.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Changing the ldap-passwort of said account and thereby resetting pwdChangedTime
 and moving the password out of the expire warning period allowed the account
 to log in again.

   * What was the outcome of this action?

Before changing the ldap-password the user was presented with the following 
text:
  WARNING: Your password has expired.
  You must change your password now and login again!
 auth.log showed this line:
  Jul 26 15:50:02 hostname sshd[26160]: pam_ldap(sshd:account): Password will
   expire in 863970 seconds; user=surname.prename;
   err=Authentication token is no longer valid; new one required

   * What outcome did you expect instead?

The User should see a warning after entering his password but should still be 
able
 to log in.

best regards,
Joerg Uibel

-- System Information:
Debian Release: 8.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/24 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-ldapd depends on:
ii  libc6              2.19-18
ii  libpam-runtime     1.1.8-3.1
ii  libpam0g           1.1.8-3.1
ii  multiarch-support  2.19-18
ii  nslcd [nslcd-2]    0.9.4-3

libpam-ldapd recommends no packages.

libpam-ldapd suggests no packages.

-- no debconf information


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to