sshd/pam_ldap not honoring passwordMustChange
passwordExpirationTime might be the root of the problem.
1) Set the user's password in the Console via right-click and
"Properties." Click "Okay."
2) Open Advanced Properties and note that passwordExpirationTime is
3) Log in as the test user with the reset password. The login is
successful, and no password change is required.
4) Return to Advanced Properties, and change passwordExpirationTime to
19700101000000Z without out changing the password in Step 1.
5) Log in as the test user with the reset password from step 1. Be forced
through the password change process. Note that the session terminates
after a good, new password is set.
6) Return to Advanced Properties and note that passwordExpirationTime is
I'm not sure if I've missed some aspect of resetting a password from the
console, or if RHDS has a bug in failing to modify passwordExpirationTime
when the password is changed, or if this is something else entirely.
On Wed, June 15, 2011 10:21, Aaron Hagopian wrote:
> I have not seen or used the passwordMustChange attribute before but I can
> tell you that if you set the passwordExpirationTime as following:
> passwordExpirationTime: 19700101000000Z
> It should force the user to change their password on their next login.
> in mind you will not get a prompt if use use a passwordless ssh login via
> rsa key exchange.
> Hope that helps.
> On Tue, Jun 14, 2011 at 5:03 PM, David Barr <firstname.lastname@example.org> wrote:
>> I know this is outside the scope of the 389 list, but my Google-fu is
>> failing me on this one.
>> If I change the password to the account on the LDAP server and verify
>> "passwordmustchange: on," I can ssh in to the test host with the new
>> password all day long, and never get asked to change it.
>> I'm hoping someone has seen a document recently that they could link to.
>> I've seen the "PAM Configuration for LDAP Client Systems" page on the
>> wiki. That deals more with setting password expiration, though.
David - Offbeat http://dafydd.livejournal.com
dafydd - Online http://pgp.mit.edu/
Battalion 4 - Black Rock City Emergency Services Department
389 users mailing list