Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6042: How to configure Centirfy PAM module to check for password expiration before even attempting authentication?

Centrify DirectAudit ,   Centrify DirectControl ,  

31 December,15 at 10:00 PM

Applied to:
Centrify DirectControl 5.2.3+ on all OS platform

Question:
How to configure Centrify PAM module to check for password expiration before even attempting authentication?

Answer:
Starting DirectControl 5.2.3 [Centrify Server 2015.1 release], a new PAM configurable option deny_pwexp is available to have Centrify PAM plugin check for password expiration before even attempting authentication

Example usage:
1. Edit /etc/pamd.d/system-auth
2. auth sufficient pam_centrifydc.so deny_pwexp
3. Restart adclient

Option Explain
This option is used by the ”auth” module in pam.conf.  If this option is present, Centrify PAM plugin check for password expiration before even attempting authentication.  If the password has expired, the authentication attempt will fail immediately without asking if the user wants to change the password. This is useful for web application where it is not possible to prompt the user to change passwords.

For more information, please see Centrify Server Suite 2015.1 Release Note:
https://www.centrify.com/downloads/products/documentation/suite2015/2015.1-release-notes/DirectControl-Release-Notes.html

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.