Bug 712294
Summary: | Account Policy Plugin does not work for simple binds when PAM Pass Through Auth plugin is enabled | ||
---|---|---|---|
Product: | [Retired] 389 | Reporter: | Andrey Ivanov <andrey.ivanov> |
Component: | Server - Plugins | Assignee: | Rich Megginson <rmeggins> |
Status: | CLOSED UPSTREAM | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 1.2.8 | CC: | benl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 389-ds-base-1.2.10.rc1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-02-07 16:10:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 690319 |
Description
Andrey Ivanov
2011-06-10 07:25:24 UTC
Is there a PAM plugin that does account activity management? In our configuration the 389 PAM passthrough plugin uses a very basic pam configuration (the file /etc/pam.d/ldapserver): ---- auth sufficient /lib64/security/pam_krb5.so no_user_check account required /lib64/security/pam_krb5.so no_user_check ---- It checks the kerberos password, that's all it does (no user check or account activity management). (In reply to comment #2) > In our configuration the 389 PAM passthrough plugin uses a very basic pam > configuration (the file /etc/pam.d/ldapserver): > > ---- > auth sufficient /lib64/security/pam_krb5.so no_user_check > account required /lib64/security/pam_krb5.so no_user_check > ---- > > It checks the kerberos password, that's all it does (no user check or account > activity management). Does kerberos keep track of last login? Yes. Starting at least from the version 1.8 (maybe even earlier) MIT Kerberos server keeps track of failed and successful logins. It can be obtained from the KDC server with kadmin(.local) utility. Upstream ticket: https://fedorahosted.org/389/ticket/39 Fixed in 389-ds-base-1.2.10.rc1 now in Fedora/EPEL Testing |