Discussion:
Forced password change not allowed
m***@imparisystems.com
2009-07-28 11:52:04 UTC
Permalink
I've got openLDAP running and installed the pam and nss libraries so it
would also control the Linux passwords. I'm trying to sign onto my server
using ssh - but once I enter my username and password, I get

WARNING: Your password has expired.
You must change your password now and login again!
Enter login(LDAP) password:

Now being a bad security person, I always use the exact same username /
password combination and they don't work.

If a use either nothing (just hit Enter) or if I put in the standard
password I get

passwd: Authentication information cannot be recovered
passwd: password unchanged
Connection to ubuntu closed.

If I enter in some nonsensical string I get

LDAP Password incorrect: try again
Enter login(LDAP) password:


However, that is the only root level user on the machine and I have TONS of
stuff on it. How do I fix? Is this an openLDAP issue or something else?

Thanks
Matt Kassawara
2009-07-28 13:21:10 UTC
Permalink
You probably don't have the slapd ACLs configured so clients can read the
necessary shadow fields... particularly those governing password age (e.g.,
shadowLastChange, shadowMax).
Post by m***@imparisystems.com
I've got openLDAP running and installed the pam and nss libraries so it
would also control the Linux passwords. I'm trying to sign onto my server
using ssh - but once I enter my username and password, I get
WARNING: Your password has expired.
You must change your password now and login again!
Now being a bad security person, I always use the exact same username /
password combination and they don't work.
If a use either nothing (just hit Enter) or if I put in the standard
password I get
passwd: Authentication information cannot be recovered
passwd: password unchanged
Connection to ubuntu closed.
If I enter in some nonsensical string I get
LDAP Password incorrect: try again
However, that is the only root level user on the machine and I have TONS of
stuff on it. How do I fix? Is this an openLDAP issue or something else?
Thanks
Matt Burkhardt
2009-09-20 18:44:41 UTC
Permalink
Thanks Matt -

With your hint, I was able to start digging around and found out that
the problem was with pam - I ended up going
into /etc/pam.d/common-password and change

password sufficient pam_ldap.so use_first_pass
password sufficient pam_ldap.so

Not quite sure what it does - but it works and I'll read the man pam
pages later
Post by Matt Kassawara
You probably don't have the slapd ACLs configured so clients can read
the necessary shadow fields... particularly those governing password
age (e.g., shadowLastChange, shadowMax).
I've got openLDAP running and installed the pam and nss libraries so it
would also control the Linux passwords. I'm trying to sign onto my server
using ssh - but once I enter my username and password, I get
WARNING: Your password has expired.
You must change your password now and login again!
Now being a bad security person, I always use the exact same username /
password combination and they don't work.
If a use either nothing (just hit Enter) or if I put in the standard
password I get
passwd: Authentication information cannot be recovered
passwd: password unchanged
Connection to ubuntu closed.
If I enter in some nonsensical string I get
LDAP Password incorrect: try again
However, that is the only root level user on the machine and I have TONS of
stuff on it. How do I fix? Is this an openLDAP issue or something else?
Thanks
Continue reading on narkive:
Loading...