Users in a OU without password expiration policy being requested a password change
Environment
Red Hat Directory Server 8
Issue
The users created under the a Organizational Unit which does not contain a password expiration policy, defined as Password never expires
, are requested for a password change after its login.
Resolution
Remove the LDAP shadow*
attributes from the affected account.
Root Cause
The pam_ldap
relies in LDAP bind operation return code to evaluate what's the status of a given account.
The presence of the shadow*
attributes bypasses the LDAP parsing and thus, breaking the RHDS control of password expiration.
Diagnostic Steps
Run a ldapsearch
, inquiring for the affected account:
[rfreire@rf ~]$ ldapsearch -x -H ldap://rhds82 -b ou=prod,dc=example,dc=com uid=testuser
# extended LDIF
#
# LDAPv3
# base <ou=prod,dc=example,dc=com> with scope subtree
# filter: uid=testuser
# requesting: ALL
#
# testuser, Users, prod, example.com
dn: uid=testuser,ou=Users,ou=prod,dc=example,dc=com
objectClass: posixAccount
objectClass: inetOrgperson
objectClass: shadowAccount
objectClass: top
objectClass: organizationalPerson
objectClass: person
uid: testuser
cn: testuser
givenName: testuser
sn: testuser
mail: testuser@example.com
uidNumber: 12345
gidNumber: 12345
homeDirectory: /home/testuser
loginShell: /bin/bash
description: testuser
shadowLastChange: 0
shadowMax: 99999
shadowWarning: 7
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Narrowing down the search, we can see some shadow* attributes in the account:
[rfreire@rf ~]$ ldapsearch -x -H ldap://rhds82 -b ou=prod,dc=example,dc=com uid=testuser | egrep '^shadow'
shadowLastChange: 0
shadowMax: 99999
shadowWarning: 7
A correct account:
[rfreire@rf ~]$ ldapsearch -x -H ldap://rhds82 -b ou=prod,dc=example,dc=com uid=testuser
# extended LDIF
#
# LDAPv3
# base <ou=prod,dc=example,dc=com> with scope subtree
# filter: uid=testuser
# requesting: ALL
#
# testuser, Users, prod, example.com
dn: uid=testuser,ou=Users,ou=prod,dc=example,dc=com
objectClass: posixAccount
objectClass: inetOrgperson
objectClass: shadowAccount
objectClass: top
objectClass: organizationalPerson
objectClass: person
uid: testuser
cn: testuser
givenName: testuser
sn: testuser
mail: testuser@example.com
uidNumber: 12345
gidNumber: 12345
homeDirectory: /home/testuser
loginShell: /bin/bash
description: testuser
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Narrowing down:
[rfreire@rf ~]$ ldapsearch -x -H ldap://rhds82 -b ou=prod,dc=example,dc=com uid=testuser | egrep '^shadow'
[rfreire@rf ~]$
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments