Bug 190256 - pam_ldap won't allow expired password changes
pam_ldap won't allow expired password changes
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Jay Turner
Depends On:
Blocks: 176344
  Show dependency treegraph
Reported: 2006-04-29 09:01 EDT by Jose Plans
Modified: 2015-01-07 19:12 EST (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2007-0267
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-05-01 13:31:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Fix force change password after reset (765 bytes, patch)
2006-04-29 09:01 EDT, Jose Plans
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
PADL Software 209 None None None Never

  None (edit)
Description Jose Plans 2006-04-29 09:01:32 EDT
Description of problem:
If a ldap account has expired, pam_ldap won't force the change.

Version-Release number of selected component (if applicable):
pam_ldap revision 176.
RHEL4 package: nss_ldap-226-10-i386

How reproducible:

Steps to Reproduce:
1.Setup users on an LDAP server (Customer: RHEL4 LDAP Server running NSDSv7.1)
2.Reset a user password.
3.Console shows flashing: 
 Change after reset
 Permission Denied

Actual results:
Impossible to login.

Expected results:
User should be forced to change its password.

Additional info:
The customer has also opened a bugzilla with PADL Software.
More data from their report :

From /var/log/messages:

Jun 16 10:39:27 lulu gpm[2258]: *** info [mice.c(1766)]:
Jun 16 10:39:27 lulu gpm[2258]: imps2: Auto-detected intellimouse PS/2
Jun 16 10:39:35 lulu unix_chkpwd[28399]: check pass; user unknown
Jun 16 10:39:35 lulu login(pam_unix)[28263]: authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=tfalgout
Jun 16 10:39:35 lulu unix_chkpwd[28400]: could not get username from shadow
Jun 16 10:39:35 lulu login[28263]: Permission denied
Jun 16 10:39:35 lulu init: open(/dev/pts/0): No such file or directory
Nothing logged to /var/log/secure

The login pam module:

auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so multiple open
session    required     pam_mkhomedir.so skel=/etc/skel umask=0077
The system-auth pam module (created by authconfig):

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required      /lib/security/$ISA/pam_permit.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
Comment 1 Jose Plans 2006-04-29 09:01:34 EDT
Created attachment 128389 [details]
Fix force change password after reset
Comment 6 RHEL Product and Program Management 2006-08-18 12:03:15 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 21 Red Hat Bugzilla 2007-05-01 13:31:33 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.