I have CentOS6, with LDAP user authentication, using OpenLDAP and SSSD. I'm trying to force user to change the password. According to this ServerFault question I tried to set ShadowLastChange to 0, but it's just seem to be ignored when the user logged in with SSH.
In that question there is a warning that it might cause a bug of infinite loop of password changes requests, but I didn't get even single request...
There was another suggestion in that question,
Try passwordMustChange attribute
But when I try to use it in my .ldif file, I get an Undefined attribute type (17) error
I also tried using passwd -e username on local Unix user, just to verify that it's working, and yes - that local user was forced to change password upon SSH login.
EDIT
I've found Password Policies overlay in the OpenLDAP doc. Should it help? (if yes - is it the only way to solve my problem?)
EDIT2
Password Policies doesn't seem to help either.
EDIT3
A.
Actually, the Password Policy is working. First I tried to check it with hp support suggesting - but the ppolicy didn't show in the log file.
But then I found good way to verify the Policy - set pwdAllowUserChange to FALSE, and see that the user cannot change password with passwd, with an error message from the server. Or, change pwdMaxAge to 1, login, and see that the user get a password change prompt.
However, pwdMustChange: TRUE still doesn't help. After I change the user's password (either with JXplorer client, or from Unix shell ldapmodify), the user doesn't get password change notification.
Maybe I'm not setting the password as expected? In the slapo-ppolicy they say
pwdMustChange
This attribute specifies whether users must change their passwords when
they first bind to the directory after a password is set or reset by the
administrator, or not. If pwdMustChange has a value of "TRUE", users must
change their passwords when they first bind to the directory after a pass-
word is set or reset by the administrator.
There seems to be a difference between set and reset a password. I tried to set. Maybe reset would help me. How can I reset a password?
Here's my policy:
dn: cn=default,ou=policies,dc=***,dc=com
cn: default
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 604800
pwdFailureCountInterval: 30
pwdInHistory: 2
pwdLockout: TRUE
pwdLockoutDuration: 172800
pwdMinAge: 0
pwdMinLength: 6
pwdMustChange: TRUE
pwdSafeModify: FALSE
sn: dummy value
pwdAllowUserChange: FALSE
pwdGraceAuthNLimit: 0
pwdMaxFailure: 5
pwdMaxAge: 999999
B.
(In response to Cameron Kerr's questions in comments)
It's CentOS 6.6. And these are my /etc/pam.d/system-auth* files:
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
EDIT4
OK, I've discovered that if I set pwdReset:TRUE in the User's entry, he's required to change password upon login. I think that it depends on PPolicy's pwdMustChange: TRUE.
It's working, but I don't understand why it's the only solution I could find. (and a solution that Google couldn't find me!) Furthermore, it's strange that this change must be done with ldapmodify - JXplorer didn't even show me that attribute before I change it...
