Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora Directory (http://www.linux-archive.org/fedora-directory/)
-   -   Not allowed to change password once it has expired (http://www.linux-archive.org/fedora-directory/432359-not-allowed-change-password-once-has-expired.html)

Gerrard Geldenhuis 09-27-2010 04:26 PM

Not allowed to change password once it has expired
 
Hi
I am in the midsts of debugging this but am hoping anyone can shed some light on the issue or point me in the right direction.

A certain combination of changes to the global password policy seems to break the abbility to change a user's password.

user1@client01.example's password:
You are required to change your LDAP password immediately.
Last login: Mon Sep 27 16:06:18 2010 from 10.5.11.115
Connection to client01.example closed.

When it works it looks like:
ssh client01 -l user1
user1@client01's password:
You are required to change your LDAP password immediately.
Creating directory '/home/user1'.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user user1
Enter login(LDAP) password:
Connection to client01 closed.

Settings that we have toggled in the global password policy is:
Enable fine-grained password policy
User must change password after reset
Allow changes in x days


We don't change anything on the client so I am 99% sure its not a a pam misconfiguration.

Best Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

Gerrard Geldenhuis 09-28-2010 12:43 PM

Not allowed to change password once it has expired
 
Hi
I have been unable to reliably recreate this issue. I can however with 95% certainty say that it revolves around the setting "User must change password after Reset"

There is a specific sequence in applying this and the password policy that will break the ability on a client to change his/her password.

I am continuing to test but are secretely hoping someone else has run into a similar problem. Googling the error has suggested a miconfigured pam. I do not believe that PAM is at fault here as I have been using the same client without config changes and the behaviour is different depending on how the auth server was configured.

Regards

________________________________________
From: 389-users-bounces@lists.fedoraproject.org [389-users-bounces@lists.fedoraproject.org] on behalf of Gerrard Geldenhuis [Gerrard.Geldenhuis@betfair.com]
Sent: 27 September 2010 17:26
To: 389-users@lists.fedoraproject.org
Subject: [389-users] Not allowed to change password once it has expired

Hi
I am in the midsts of debugging this but am hoping anyone can shed some light on the issue or point me in the right direction.

A certain combination of changes to the global password policy seems to break the abbility to change a user's password.

user1@client01.example's password:
You are required to change your LDAP password immediately.
Last login: Mon Sep 27 16:06:18 2010 from 10.5.11.115
Connection to client01.example closed.

When it works it looks like:
ssh client01 -l user1
user1@client01's password:
You are required to change your LDAP password immediately.
Creating directory '/home/user1'.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user user1
Enter login(LDAP) password:
Connection to client01 closed.

Settings that we have toggled in the global password policy is:
Enable fine-grained password policy
User must change password after reset
Allow changes in x days


We don't change anything on the client so I am 99% sure its not a a pam misconfiguration.

Best Regards

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

__________________________________________________ ______________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

__________________________________________________ ______________________
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


All times are GMT. The time now is 12:45 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.