ldap force user to change password

centos ldap pam

I am using CentOS-ds (based off Redhat-DS and 389 directory servers).

I have LDAP setup, and working to authenticate users (and Sudo, thats a handy feature!). even passwd is working great to change passwords stored in Ldap. However, I have one little problem. How can I force all my user accounts to create a new password after logging into the server? the normal way I would do this:

chage -d 0 username

does not seem to be 'ldap-ified'. How can I force the people to create new passwords on their next (ssh) login? I need to create user accounts, and I really don't want people keeping the passwords I set for them..

*edit - I have set the LDAP server to force a password change when their password is reset. However, I cannot seem to find a way to "reset" the password in the correct way to trigger this. (all I can find is just logging in as Directory Manager and changing their password) *edit2. Since we are going to be moving many machines to LDAP once this part is figured out, I wrote a script to run as root to setup LDAP authentication. Perhaps I'm missing something here? (edited out servers and basedn.)

#!/bin/sh
#
authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=<server1>,<server2> --ldapbasedn="<basedn>" --update
echo 'sudoers:    files ldap' >> /etc/nsswitch.conf
echo 'base <basedn>
timelimit 120
bind_policy soft
bind_timelimit 120
idle_timelimit 3600
uri ldap://<server1>/  
uri ldap://<server2>/
ssl no
tls_cacertdir /etc/openldap/cacerts 
pam_password md5
sudoers_base    ou=SUDOers,<basedn>
' > /etc/ldap.conf

I found a solution: In the users LDAP entry, setShadowLastChange = 0 This will force the user to have to reset their LDAP password. However, there is also another bug, you then have to modify the permissions (ACL's) on the LDAP server (I had the default one of Allow Self entry modification on OU=People) to also allow them to modify the target ShadownLastChange.

Otherwise, they can't change the value, and it stays at zero, forcing them to redo their password every time they login.

Related

IPv6 DHCP Configuration
Understanding virtual memory usage > swap + physical on Linux
Cannot ping over LAN until a ping is received
Linux swapiness - Adjusting Kernel VM settings
Precached Windows Logins?
What does the fields in sar -B output mean?
How do you handle data archiving? [closed]
SPF - should I implement?
ZFS on Linux (ZoL) and realtime replication
How do captive portal network connections work?
Postfix: change sender in queued messages
Jenkins won't serve with CA signed certificate