Le 21/05/2018 à 17:10, Net Warrior a écrit :
Hello
When I force the expiration changing pwdMaxAge what I can see in the
log is the following:
ppolicy_bind: Entry uid=jdoe,ou=Users,dc=domain,dc=com has an expired
password: 0 grace logins
I test the login, I get two warning as configured but the user is
never forced to change it and can login as usual, any hint on this?
Seems you are mixing OpenLDAP ppolicy and shadow policy.
Anyway, if the OpenLDAP ppolicy has expired the password, you should not
be able to log in, unless you set some cache or failback on local account.
You should test with ldapsearch or ldapwhoami command to understand the
behavior of OpenLDAP ppolicy. Then you can configure pam/sssd to fit
your needs.
--
Clément Oudot | Identity Solutions Manager
Worteks | https://www.worteks.com