[SSSD-users]sssd & openldap password expiration

2015-12-06 Thread Mario Rossi 
Hi,

We have the need to add password (not account) expiration in ldap and I
see that sssd supports pwd policies. What's the recommended way of
achieving password expiration keeping in mind the following:

* currently there are no shadow attributes defined ( all users have
shadowAccount objectclass but no attrs like shadowExpire / shadowMin /
shadowMax )
* upon the user logging in , if password is going to expire in a few
days, display a message to the user ( pam_account_expired_message ,
pam_pwd_expiration_warning ? )
* is sssd-1.12.4-47 rpm recommended or better sssd-1.12.5-3
?

I found out the hard way that I need to define shadowExpire to -1
otherwise users get rejected with 'account has expired' message in sssd
debug mode but perhaps my settings are wrong. What shadow attributes
does sssd look for in the openldap tree ?


[pam]
...
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account/password expired, please use
selfservice portal to change your password and extend account.


[domain/LDAP]
...
# Account expiration
ldap_account_expire_policy = shadow

# Password expiration
#ldap_pwd_policy = none
ldap_pwd_policy = shadow
ldap_pwdlockout_dn = cn=default,ou=policies,o=Hostopia,dc=hostopia,dc=com
ldap_access_order = filter, expire

pwd_expiration_warning = 21
...

Seems that I should be looking at src/providers/ldap/ldap_opts.h &
src/providers/ldap/sdap.h .

Thank you,
Mario Rossi
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org

[SSSD-users]Re: sssd & openldap password expiration

2015-12-06 Thread Lukas Slebodnik 
On (03/12/15 20:24), Mario Rossi wrote:
>Hi,
>
>We have the need to add password (not account) expiration in ldap and I
>see that sssd supports pwd policies. What's the recommended way of
>achieving password expiration keeping in mind the following:
>
>* currently there are no shadow attributes defined ( all users have
>shadowAccount objectclass but no attrs like shadowExpire / shadowMin /
>shadowMax )
>* upon the user logging in , if password is going to expire in a few
>days, display a message to the user ( pam_account_expired_message ,
>pam_pwd_expiration_warning ? )
>* is sssd-1.12.4-47 rpm recommended or better sssd-1.12.5-3
Default version in el6.7 already contians
lockout and ppolicy options in ldap_access_order
but it semms you want to use only "expire" which is available
also in older versions of sssd.

>?
>
>I found out the hard way that I need to define shadowExpire to -1
>otherwise users get rejected with 'account has expired' message in sssd
>debug mode but perhaps my settings are wrong. What shadow attributes
>does sssd look for in the openldap tree ?
>
>
>[pam]
>...
>pam_pwd_expiration_warning = 21
>pam_account_expired_message = Account/password expired, please use
>selfservice portal to change your password and extend account.
>
>
>[domain/LDAP]
>...
># Account expiration
>ldap_account_expire_policy = shadow
>
># Password expiration
>#ldap_pwd_policy = none
>ldap_pwd_policy = shadow
>ldap_pwdlockout_dn = cn=default,ou=policies,o=Hostopia,dc=hostopia,dc=com
>ldap_access_order = filter, expire
>
>pwd_expiration_warning = 21
>...
>
>Seems that I should be looking at src/providers/ldap/ldap_opts.h &
>src/providers/ldap/sdap.h .
looking to the manual page sssd-ldap should be ehough.

LS
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org