HPE Community
Operating System - HP-UX
1844266 Members
2594 Online
110230 Solutions
New Discussion

NDS-LDAP password policies are not enforced by LDAP-UX

 
Richard Plourde_3
Advisor

‎11-21-2006 06:53 AM

‎11-21-2006 06:53 AM

NDS-LDAP password policies are not enforced by LDAP-UX

Hello gurus,

I'm having a problem getting my LDAP-UX client to have the password policies I've defined in Netscape Directory Server enforced.

My systems are in Trusted mode so I've copied the pam.conf.trusted to pam.conf.

I defined a password policy for userA and delibrately changed the passwordexpirationtime to some date in 2001. Whether I try with telnet or ssh to login, it lets me through without a hitch. I've enabled all logs possible and I can't see anything taht would suggest that my password's expired.

I can do an ldapsearch on my user and I can see the passwordexpirationtime value.

Shouldn't it prompt me that my password's expired?

I have NDS 6.21, LDAP-UX B.04.00.02, HP-UX 11i.

Thanks!
Carpe Diem
0 Kudos
12 REPLIES 12
Steven E. Protter
Exalted Contributor

‎11-21-2006 07:39 AM

‎11-21-2006 07:39 AM

Re: NDS-LDAP password policies are not enforced by LDAP-UX

Shalom,

Check /etc/nsswitch.conf to see that its got ldap as the primary authentication for passwords.

Make sure the user id in question is not duplicated in /etc/passwd

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Richard Plourde_3
Advisor

‎11-21-2006 07:50 AM

‎11-21-2006 07:50 AM

Re: NDS-LDAP password policies are not enforced by LDAP-UX


# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf. It
# uses LDAP (Lightweight Directory Access Protocol) in conjunction with
# dns & files.
#

passwd: files ldap
group: files ldap
hosts: dns files ldap
networks: files ldap
protocols: files ldap
rpc: files ldap
publickey: ldap [NOTFOUND=return] files
netgroup: files ldap
automount: files ldap
aliases: files
services: files ldap


Also I've checked the password file and my user is not defined in it.
Carpe Diem
0 Kudos
Ivan Ferreira
Honored Contributor

‎11-21-2006 07:50 AM

‎11-21-2006 07:50 AM

Re: NDS-LDAP password policies are not enforced by LDAP-UX

Are you logging via SSH? In Linux you must configure SSH to use PAM, maybe, in hp-ux, the PAMAuthenticationViaKbdInt should be configured.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Richard Plourde_3
Advisor

‎11-21-2006 07:55 AM

‎11-21-2006 07:55 AM

Re: NDS-LDAP password policies are not enforced by LDAP-UX

I've tried reversing the search order for passwords in the nsswitch.conf. No effect.

passwd: ldap files
Carpe Diem
0 Kudos
Richard Plourde_3
Advisor

‎11-21-2006 07:57 AM

‎11-21-2006 07:57 AM

Re: NDS-LDAP password policies are not enforced by LDAP-UX

I'm using telnet. I will be using ssh eventually, but I need to get this working with plain vanilla telnet first.
Carpe Diem
0 Kudos
Richard Plourde_3
Advisor

‎11-28-2006 07:42 AM

‎11-28-2006 07:42 AM

Re: NDS-LDAP password policies are not enforced by LDAP-UX

Just to let you know, I still have problems with password policies but I've figured out that there a problem with user level password policy. I found out that if I set my password policies globally, it works...somewhat.

Now I'm having a problem where the system realizes that the user's password has expired, prompts me for a new password but somehow cannot change it. I get a
"Failure - LDAP processing error"

Has anybody experienced this before?

Ciao!
Carpe Diem
0 Kudos
Weltman, Ulf
Valued Contributor

‎11-28-2006 08:06 AM

‎11-28-2006 08:06 AM

Re: NDS-LDAP password policies are not enforced by LDAP-UX

Hello Richard. Are you by chance using referrals? There are currently some issues with the automatic referral chasing code when controls are involved, such as the control indicating that the password has expired (LDAP_CONTROL_PWEXPIRED).

If you're not using referrals, check the access log of the Directory Server (/var/opt/netscape/servers/slapd-instance/logs/access). There may be two interesting operations, first a BIND as the user changing password where the result code should be 49 (LDAP_INVALID_CREDENTIALS), indicating the password is invalid, and if it's invalid due to being expired then a MOD operation would follow. The result code from the MOD may be interesting, for example 50 (LDAP_INSUFFICIENT_ACCESS) would indicate the user doesn't have permission to change his own password.

Don't forget that the access log is buffered by default and it may take about 30 seconds for activity to show up.
0 Kudos
Richard Plourde_3
Advisor

‎11-29-2006 03:21 AM

‎11-29-2006 03:21 AM

Re: NDS-LDAP password policies are not enforced by LDAP-UX

Ulf,

Thanks for your reply.

I am not using referals. But, what you are describing in the second paragraph, that's exactly what's happening. It seems that my user doesn't have access to its own password field.

But, I did the step in LDAP-UX configuration to allow self write on the all fields except uid, uidNumber, gidNumber, and homeDirectory.

What gives?
Carpe Diem
0 Kudos
Richard Plourde_3
Advisor

‎12-05-2006 02:20 AM

‎12-05-2006 02:20 AM

Re: NDS-LDAP password policies are not enforced by LDAP-UX

Hi, Me again.

Has anyone heard of an ACI named "disallow_pw_change_aci"? This is the ACI that is refusing denying me password modification of users with expired passwords.

I've searched my directory tree but I haven't found it.
Carpe Diem
0 Kudos
Weltman, Ulf
Valued Contributor

‎12-14-2006 05:56 AM

‎12-14-2006 05:56 AM

Re: NDS-LDAP password policies are not enforced by LDAP-UX

I believe the support channel passed you my reply but for anyone else looking at this thread:

That ACI is automatically added when a global passwordChange=off password policy has been set. It should be automatically removed when the pwp setting is disabled. It sounds like it did get removed when you modified another ACI on the root entry.
0 Kudos
Richard Plourde_3
Advisor

‎12-14-2006 06:24 AM

‎12-14-2006 06:24 AM

Re: NDS-LDAP password policies are not enforced by LDAP-UX

Hello every body,

I finally got my password policies working although not the way I would have liked to. Apparently, the NDS software is not that stable(at least not the 6.21 version).

When I noticed that all this had something to do with ACI, I started to play around with them. So, by changing one ACI and then changing it back, the whole thing started working. (Welcome to the twilight zone)

As I like to say, I used the "Bang the side of the TV" method and it worked! I had this call opened at HP Support and they're as puzzled as I.

Anyway, I'd like to thank everybody that put in their two cents in this thread.

Cheers!
Carpe Diem
0 Kudos
Richard Plourde_3
Advisor

‎12-14-2006 06:26 AM

‎12-14-2006 06:26 AM

Re: NDS-LDAP password policies are not enforced by LDAP-UX

This thread is closed.

Thank you all.
Carpe Diem
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.