How to configure password complexity for local users only when system is a ldap client ?
Environment
- Red Hat Enterprise Linux (All Version)
- Red Hat Enterprise Linux as a LDAP or Active Directory Client.
Issue
- How to configure password complexity for local users only when system is a ldap client ?
Resolution
Configure /etc/pam.d/system-auth & /etc/pam.d/password-auth password section like below
password [success=2 default=ignore] pam_localuser.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_winbind.so use_authtok
password requisite pam_cracklib.so retry=3 minlen=15 dcredit=-3 ucredit=-3 lcredit=-3 ocredit=-3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password required pam_deny.so
There are multiple pam modules used to changing password against AD/LDAP like pam_krb5.so, pam_sss.so, pam_ldap.so & pam_sss.so, If using any other module, replace pam_winbind.so with that module in this line.
password sufficient pam_winbind.so use_authtok
With the above configuration, User will be first check with pam_succeed_if.so. If user is localuser, It will be forced to change the password with pam_cracklib.so as specified in 4th line. If user is not local user, It will skip the second line.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
