BladeSystem Forums Have Moved here
To make BladeSystem information easier to find, we have moved the BladeSystem forums here, to Servers and Operating Systems.
Showing results for 
Search instead for 
Do you mean 

LDAP-UX + 389-ds

Frequent Advisor

LDAP-UX + 389-ds

I've integration between Fedora 389-DS and LDAP-UX Client B5.01 (which is running on hp-ux 11.23). Allmost everything works perfect till I enable status:rhds:check_rhds_policy in pam_authz.policy. I follow all intrutions in "LDAP-UX Client Services B.05.01 Administrator Guide" but no luck.
I've see that the following message appears in syslog : "sshd[29721]: PAM_AUTHZ: query daemon return failure status 7"

Any Ideas?? Thank in advance!

2 REPLIES
Valued Contributor

Re: LDAP-UX + 389-ds

I know this thread is old, but I thought I would share my experience so far. I too have not been able to get the check_rhds_policy to work with pam_authz. I setup the proxy user and set the aci's specified in the ldaup 5.01 admin guide. In the end, the only way I could get the password policies to work is by adding filters to pam_authz.policy.

 

required:ldap_filter:(passwordexpirationtime>=$[TIMEOFTHEDAY])
PAM_PERM_DENIED:ldap_filter:(nsaccountlock=true)
PAM_MAXTRIES:ldap_filter:(&(accountunlocktime=19700101000000Z)(passwordretrycount=3))

 

This is about all you need to make sure users cannot login even though the directory shows thes users paswords expired, or account locked/inactive.

 

I hope this helps someone.

Valued Contributor

Re: LDAP-UX + 389-ds

I need to revise this. I ran into issues. This has worked for me.

 

PAM_NEW_AUTHTOK_REQD:ldap_filter:(passwordexpirationtime<=$[TIMEOFTHEDAY])
PAM_ACCT_EXPIRED:ldap_filter:(nsaccountlock=true)
PAM_ACCT_EXPIRED:ldap_filter:(&(accountunlocktime=19700101000000Z)(passwordretrycount=3))

 

I am still trying to figure out how to get the status:rhds:check_rdhs_policy line to work properly.