hi,
I'm not sure if this is sss related, but I can't get passwd policies working.
Is there anyone using shadow attributes for passwd policies?
regards,
muzzol
On Tue, 2012-06-05 at 12:17 +0200, Angel Bosch wrote:
hi,
I'm not sure if this is sss related, but I can't get passwd policies working.
Is there anyone using shadow attributes for passwd policies?
You should be able to configure this using: ldap_pwd_policy = shadow
Additionally, if any of your shadow attributes are renamed, you can use: ldap_user_shadow_last_change ldap_user_shadow_min ldap_user_shadow_max ldap_user_shadow_warning ldap_user_shadow_inactive ldap_user_shadow_expire
to set them.
Be aware, however, that SSSD will *always* honor server-side password policies if they are available. This is primarily done because shadow attributes are rarely (if ever) properly maintained by the server, and thus the LDAP password policy control is more reliable. So if they disagree, the password policy control will always "win".
----- Original Message -----
You should be able to configure this using: ldap_pwd_policy = shadow
thanks, there was a little typo in my config.
:)
ldap_user_shadow_last_change ldap_user_shadow_min ldap_user_shadow_max ldap_user_shadow_warning ldap_user_shadow_inactive ldap_user_shadow_expire
can you explain how these attributes are interpreted?
now I only get two estates from the point of view of user: user can login or user can't.
I don't get any warning about expiration or any chance to change expired passwords.
I've opened a bug regarding info on lightdm package because I think is client job to understand pam messages: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1009013
but I wonder if there's another aproach to shadow management.
also, I would like to know if there's any way to configure Firefox/Chrome in linux to honour pam credentials, just as it does in Windows with NTLM and apache.
regards,
abosch
Sorry for the delay, I thought I'd replied to this, but I guess I forgot to send the draft.
On Thu, 2012-06-07 at 15:00 +0200, Angel Bosch wrote:
----- Original Message -----
You should be able to configure this using: ldap_pwd_policy = shadow
thanks, there was a little typo in my config.
:)
ldap_user_shadow_last_change ldap_user_shadow_min ldap_user_shadow_max ldap_user_shadow_warning ldap_user_shadow_inactive ldap_user_shadow_expire
can you explain how these attributes are interpreted?
They just allow you to specify which attribute in LDAP represents this attribute for "shadow".
now I only get two estates from the point of view of user: user can login or user can't.
I don't get any warning about expiration or any chance to change expired passwords.
I've opened a bug regarding info on lightdm package because I think is client job to understand pam messages: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1009013
Yeah, that's likely the case. We mainly test with GDM, which does support the PAM conversation properly. One thing you can try is directly logging in on the console (ctrl-alt-f2) or via SSH. If those both warn you appropriately, it's a lightdm bug. If they don't, something else is wrong. (Please try both, SSH has some gotchas in configuration that make it easy for just it to be wrong where other login mechanisms are correct).
but I wonder if there's another aproach to shadow management.
We've been considering adding support for retrieving the shadow map, but in general we consider it best for our users to properly configure their server-side policies instead. After all, client-side security... isn't.
also, I would like to know if there's any way to configure Firefox/Chrome in linux to honour pam credentials, just as it does in Windows with NTLM and apache.
This is actually done through Kerberos, and yes Firefox and Chrome can be configured to honor this (and apache can be configured with mod_auth_krb5 to respect it). For an example, take a look at the FreeIPA project. That's how they manage SSO to their administrative web interface.
ldap_user_shadow_last_change ldap_user_shadow_min ldap_user_shadow_max ldap_user_shadow_warning ldap_user_shadow_inactive ldap_user_shadow_expire
can you explain how these attributes are interpreted?
They just allow you to specify which attribute in LDAP represents this attribute for "shadow".
now I only get two estates from the point of view of user: user can login or user can't.
I don't get any warning about expiration or any chance to change expired passwords.
I've opened a bug regarding info on lightdm package because I think is client job to understand pam messages: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1009013
Yeah, that's likely the case. We mainly test with GDM, which does support the PAM conversation properly. One thing you can try is directly logging in on the console (ctrl-alt-f2) or via SSH. If those both warn you appropriately, it's a lightdm bug. If they don't, something else is wrong. (Please try both, SSH has some gotchas in configuration that make it easy for just it to be wrong where other login mechanisms are correct).
I've been testing with ssh and I got an error when users with 'warning' state tries to login:
$ ssh cprli0554 -l pepet9 pepet9@cprli0554's password: Permission denied, please try again.
---
# tail auth.log Jun 27 12:38:35 cprli0554 sshd[3003]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.example.net user=pepet9 Jun 27 12:38:35 cprli0554 sshd[3003]: pam_sss(sshd:auth): received for user pepet9: 4 (System error)
---
# tail -f sssd_imasmallorca.net.log (Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [string_to_shadowpw_days] (0x0020): Input string contains not allowed negative value [-1]. (Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [get_user_dn] (0x0020): find_password_expiration_attributes failed. (Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] (Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][example.net] (Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][example.net]
---
I'm using standard values, so I didn't change any default setting besides 'ldap_pwd_policy = shadow'
regards,
abosch
On Wed, 2012-06-27 at 12:57 +0200, Angel Bosch wrote:
(Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [string_to_shadowpw_days] (0x0020): Input string contains not allowed negative value [-1].
Note this message right here: You have a user that contains '-1' as the value of one of their shadow entries. It looks like we're not handling this properly. The shadow processing should accept -1 (and only that singular negative value) as meaning "never" or "infinite" as appropriate.
Angel, please file a bug on this.
(Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [string_to_shadowpw_days] (0x0020): Input string contains not allowed negative value [-1].
Note this message right here: You have a user that contains '-1' as the value of one of their shadow entries. It looks like we're not handling this properly. The shadow processing should accept -1 (and only that singular negative value) as meaning "never" or "infinite" as appropriate.
yes, user had 'shadowexpire: -1'
Angel, please file a bug on this.
done: https://fedorahosted.org/sssd/ticket/1393
I think it's time to start testing server side policies and say goodby to my old friend shadow.
thanks for your time,
abosch
sssd-users@lists.fedorahosted.org