1748159 Members
3973 Online
108758 Solutions
New Discussion юеВ

LDAP-UX + 389-ds

 
Delcho Tuhchiev
Frequent Advisor

LDAP-UX + 389-ds

I've integration between Fedora 389-DS and LDAP-UX Client B5.01 (which is running on hp-ux 11.23). Allmost everything works perfect till I enable status:rhds:check_rhds_policy in pam_authz.policy. I follow all intrutions in "LDAP-UX Client Services B.05.01 Administrator Guide" but no luck.
I've see that the following message appears in syslog : "sshd[29721]: PAM_AUTHZ: query daemon return failure status 7"

Any Ideas?? Thank in advance!

2 REPLIES 2
feeble
Valued Contributor

Re: LDAP-UX + 389-ds

I know this thread is old, but I thought I would share my experience so far. I too have not been able to get the check_rhds_policy to work with pam_authz. I setup the proxy user and set the aci's specified in the ldaup 5.01 admin guide. In the end, the only way I could get the password policies to work is by adding filters to pam_authz.policy.

 

required:ldap_filter:(passwordexpirationtime>=$[TIMEOFTHEDAY])
PAM_PERM_DENIED:ldap_filter:(nsaccountlock=true)
PAM_MAXTRIES:ldap_filter:(&(accountunlocktime=19700101000000Z)(passwordretrycount=3))

 

This is about all you need to make sure users cannot login even though the directory shows thes users paswords expired, or account locked/inactive.

 

I hope this helps someone.

feeble
Valued Contributor

Re: LDAP-UX + 389-ds

I need to revise this. I ran into issues. This has worked for me.

 

PAM_NEW_AUTHTOK_REQD:ldap_filter:(passwordexpirationtime<=$[TIMEOFTHEDAY])
PAM_ACCT_EXPIRED:ldap_filter:(nsaccountlock=true)
PAM_ACCT_EXPIRED:ldap_filter:(&(accountunlocktime=19700101000000Z)(passwordretrycount=3))

 

I am still trying to figure out how to get the status:rhds:check_rdhs_policy line to work properly.