Problem : “You are required to change your password immediately (password aged)”
All, I have an LDAP server (RHEL 5) working with two clients. However, I keep getting the “You are required to change your password immediately (password aged)” message every so often at login on my LINUX client (RHEL 5). I then change the password. It sticks for a while and then a few logins later, I get this same message prompting me to change the password. What’s going on here? I explicitly set the password age/length etc in PAM on the client. Does this have something to do with the shadowPassword settings/permissions? Any suggestions? Thanks.
Solution: “You are required to change your password immediately (password aged)”
That is the whole point, you should not be using the same username local in the passwd file and on LDAP.
Pick one.
LDAP based username provided the home dir, shell, is set correctly will behave the same way as if the user is entered in the local passwd/shadow file.
As far as the system sees, usera in /etc/passwd is not the same as usera@LDAP.
The overlay of UID and GID in the LDAP to match those setting in the passwd/shadow files are beyond the scope of the check.
You could setup a cron that will go through the passwd file collecting the usernames, then querying the LDAP directory for these user’s password and then using the usermod -p ‘password’ username.
I suggested earlier, root, apache, mail, etc. should remain local to the system.
usera, userb, userc, should be LDAP based.
The home dirs of the LDAP users should be based on a NFS share that is mounted /home/.
This way the user can login into any workstation and have full access to their home dir and any and all changes they may have previously made.
