Bug 190256 - pam_ldap won't allow expired password changes
Summary: pam_ldap won't allow expired password changes
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap (Show other bugs)
(Show other bugs)
Version: 4.0
Hardware: All Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Nalin Dahyabhai
QA Contact: Jay Turner
URL: http://bugzilla.padl.com/show_bug.cgi...
Whiteboard:
Keywords:
Depends On:
Blocks: 176344
TreeView+ depends on / blocked
 
Reported: 2006-04-29 13:01 UTC by Jose Plans
Modified: 2015-01-08 00:12 UTC (History)
2 users (show)

Fixed In Version: RHBA-2007-0267
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 17:31:33 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix force change password after reset (765 bytes, patch)
2006-04-29 13:01 UTC, Jose Plans
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0267 normal SHIPPED_LIVE nss_ldap bug fix update 2007-05-01 17:31:31 UTC
PADL Software 209 None None None Never

Description Jose Plans 2006-04-29 13:01:32 UTC
Description of problem:
If a ldap account has expired, pam_ldap won't force the change.

Version-Release number of selected component (if applicable):
pam_ldap revision 176.
RHEL4 package: nss_ldap-226-10-i386

How reproducible:
Always.

Steps to Reproduce:
1.Setup users on an LDAP server (Customer: RHEL4 LDAP Server running NSDSv7.1)
2.Reset a user password.
3.Console shows flashing: 
 Change after reset
 Permission Denied

Actual results:
Impossible to login.

Expected results:
User should be forced to change its password.


Additional info:
The customer has also opened a bugzilla with PADL Software.
More data from their report :

From /var/log/messages:

Jun 16 10:39:27 lulu gpm[2258]: *** info [mice.c(1766)]:
Jun 16 10:39:27 lulu gpm[2258]: imps2: Auto-detected intellimouse PS/2
Jun 16 10:39:35 lulu unix_chkpwd[28399]: check pass; user unknown
Jun 16 10:39:35 lulu login(pam_unix)[28263]: authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=tfalgout
Jun 16 10:39:35 lulu unix_chkpwd[28400]: could not get username from shadow
(tfalgout))
Jun 16 10:39:35 lulu login[28263]: Permission denied
Jun 16 10:39:35 lulu init: open(/dev/pts/0): No such file or directory
Nothing logged to /var/log/secure

The login pam module:

#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so multiple open
session    required     pam_mkhomedir.so skel=/etc/skel umask=0077
The system-auth pam module (created by authconfig):


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

Comment 1 Jose Plans 2006-04-29 13:01:34 UTC
Created attachment 128389 [details]
Fix force change password after reset

Comment 6 RHEL Product and Program Management 2006-08-18 16:03:15 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 21 Red Hat Bugzilla 2007-05-01 17:31:33 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0267.html



Note You need to log in before you can comment on or make changes to this bug.