Bug 190256 - pam_ldap won't allow expired password changes
pam_ldap won't allow expired password changes
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: nss_ldap (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Jay Turner
http://bugzilla.padl.com/show_bug.cgi...
:
Depends On:
Blocks: 176344
  Show dependency treegraph
 
Reported: 2006-04-29 09:01 EDT by Jose Plans
Modified: 2015-01-07 19:12 EST (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2007-0267
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 13:31:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix force change password after reset (765 bytes, patch)
2006-04-29 09:01 EDT, Jose Plans
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
PADL Software 209 None None None Never

  None (edit)
Description Jose Plans 2006-04-29 09:01:32 EDT
Description of problem:
If a ldap account has expired, pam_ldap won't force the change.

Version-Release number of selected component (if applicable):
pam_ldap revision 176.
RHEL4 package: nss_ldap-226-10-i386

How reproducible:
Always.

Steps to Reproduce:
1.Setup users on an LDAP server (Customer: RHEL4 LDAP Server running NSDSv7.1)
2.Reset a user password.
3.Console shows flashing: 
 Change after reset
 Permission Denied

Actual results:
Impossible to login.

Expected results:
User should be forced to change its password.


Additional info:
The customer has also opened a bugzilla with PADL Software.
More data from their report :

From /var/log/messages:

Jun 16 10:39:27 lulu gpm[2258]: *** info [mice.c(1766)]:
Jun 16 10:39:27 lulu gpm[2258]: imps2: Auto-detected intellimouse PS/2
Jun 16 10:39:35 lulu unix_chkpwd[28399]: check pass; user unknown
Jun 16 10:39:35 lulu login(pam_unix)[28263]: authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=  user=tfalgout
Jun 16 10:39:35 lulu unix_chkpwd[28400]: could not get username from shadow
(tfalgout))
Jun 16 10:39:35 lulu login[28263]: Permission denied
Jun 16 10:39:35 lulu init: open(/dev/pts/0): No such file or directory
Nothing logged to /var/log/secure

The login pam module:

#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so
# pam_selinux.so open should be the last session rule
session    required     pam_selinux.so multiple open
session    required     pam_mkhomedir.so skel=/etc/skel umask=0077
The system-auth pam module (created by authconfig):


#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
Comment 1 Jose Plans 2006-04-29 09:01:34 EDT
Created attachment 128389 [details]
Fix force change password after reset
Comment 6 RHEL Product and Program Management 2006-08-18 12:03:15 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 21 Red Hat Bugzilla 2007-05-01 13:31:33 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0267.html

Note You need to log in before you can comment on or make changes to this bug.