LDAP-UX + 389-ds (570 Views)
Reply
Frequent Advisor
Posts: 48
Registered: ‎09-23-2007
Message 1 of 3 (570 Views)

LDAP-UX + 389-ds

I've integration between Fedora 389-DS and LDAP-UX Client B5.01 (which is running on hp-ux 11.23). Allmost everything works perfect till I enable status:rhds:check_rhds_policy in pam_authz.policy. I follow all intrutions in "LDAP-UX Client Services B.05.01 Administrator Guide" but no luck.
I've see that the following message appears in syslog : "sshd[29721]: PAM_AUTHZ: query daemon return failure status 7"

Any Ideas?? Thank in advance!

Valued Contributor
Posts: 38
Registered: ‎06-30-2011
Message 2 of 3 (470 Views)

Re: LDAP-UX + 389-ds

I know this thread is old, but I thought I would share my experience so far. I too have not been able to get the check_rhds_policy to work with pam_authz. I setup the proxy user and set the aci's specified in the ldaup 5.01 admin guide. In the end, the only way I could get the password policies to work is by adding filters to pam_authz.policy.

 

required:ldap_filter:(passwordexpirationtime>=$[TIMEOFTHEDAY])
PAM_PERM_DENIED:ldap_filter:(nsaccountlock=true)
PAM_MAXTRIES:ldap_filter:(&(accountunlocktime=19700101000000Z)(passwordretrycount=3))

 

This is about all you need to make sure users cannot login even though the directory shows thes users paswords expired, or account locked/inactive.

 

I hope this helps someone.

Valued Contributor
Posts: 38
Registered: ‎06-30-2011
Message 3 of 3 (376 Views)

Re: LDAP-UX + 389-ds

I need to revise this. I ran into issues. This has worked for me.

 

PAM_NEW_AUTHTOK_REQD:ldap_filter:(passwordexpirationtime<=$[TIMEOFTHEDAY])
PAM_ACCT_EXPIRED:ldap_filter:(nsaccountlock=true)
PAM_ACCT_EXPIRED:ldap_filter:(&(accountunlocktime=19700101000000Z)(passwordretrycount=3))

 

I am still trying to figure out how to get the status:rhds:check_rdhs_policy line to work properly.

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.