Home / server / Questions / 255603
Accepted
Brian
Asked: 2011-04-05 11:21:27 +0800 CST

ldap force user to change password

  • 772

I am using CentOS-ds (based off Redhat-DS and 389 directory servers).

I have LDAP setup, and working to authenticate users (and Sudo, thats a handy feature!). even passwd is working great to change passwords stored in Ldap. However, I have one little problem. How can I force all my user accounts to create a new password after logging into the server? the normal way I would do this:

chage -d 0 username

does not seem to be 'ldap-ified'. How can I force the people to create new passwords on their next (ssh) login? I need to create user accounts, and I really don't want people keeping the passwords I set for them..

*edit - I have set the LDAP server to force a password change when their password is reset. However, I cannot seem to find a way to "reset" the password in the correct way to trigger this. (all I can find is just logging in as Directory Manager and changing their password) *edit2. Since we are going to be moving many machines to LDAP once this part is figured out, I wrote a script to run as root to setup LDAP authentication. Perhaps I'm missing something here? (edited out servers and basedn.)

#!/bin/sh
#
authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=<server1>,<server2> --ldapbasedn="<basedn>" --update
echo 'sudoers:    files ldap' >> /etc/nsswitch.conf
echo 'base <basedn>
timelimit 120
bind_policy soft
bind_timelimit 120
idle_timelimit 3600
uri ldap://<server1>/  
uri ldap://<server2>/
ssl no
tls_cacertdir /etc/openldap/cacerts 
pam_password md5
sudoers_base    ou=SUDOers,<basedn>
' > /etc/ldap.conf
centos ldap pam

3 Answers

  1. Best Answer

    I found a solution: In the users LDAP entry, setShadowLastChange = 0 This will force the user to have to reset their LDAP password. However, there is also another bug, you then have to modify the permissions (ACL's) on the LDAP server (I had the default one of Allow Self entry modification on OU=People) to also allow them to modify the target ShadownLastChange.

    Otherwise, they can't change the value, and it stays at zero, forcing them to redo their password every time they login.

    • 5

  2. Try passwordMustChange attribute

    When on, this attribute requires users to change their passwords when they first login to the directory or after the password is reset by the Directory Manager. The user is required to change their password even if user-defined passwords are disabled. If this attribute is set to off, passwords assigned by the Directory Manager should not follow any obvious convention and should be difficult to discover. This attribute is off by default.

    Refer:-http://www.centos.org/docs/5/html/CDS/ag/8.0/User_Account_Management-Managing_the_Password_Policy.html

    • 0

  3. @Brian changing the shadowlastchange=0 is actually a bad idea. Most of the LDAP client are not designed to change the value of shadowlastchange value. So you will fall in a infinite loop to change password everytime you log in.

    some ldap client

    nss-pam-ldapd - This functionality is recently added in nss-pam-ldapd upstream project Log: try to update the shadowLastChange attribute of a user on password change (the update is only tried if the attribute is present to begin with) http://lists.arthurdejong.org/nss-pam-ldapd-commits/2010/msg00302.html

    sssd -
    Still a RFE https://bugzilla.redhat.com/show_bug.cgi?id=739312

    samba-ldap-tools - declined

    • 0