IBM DB2 allows users to login with expired LDAP passwords on RHEL6
Issue
LDAP Users logging into a DB2 database can log in with wrong or expired password.
This is the DB2 pam config as per IBM:
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass
auth sufficient pam_sss.so use_first_pass debug
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
Environment
Red Hat Enterprise Linux 6.9
IBM DB2 v10.5
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.