Jakub, Thanks for the quick response, to answer your question I am using the built-in password policy features of 389-ds that allows us to use these features:
Maximum Number of Failures Password Change After Reset User-Defined Passwords Password Expiration Expiration Warning Grace Login Limit Password Syntax Checking Password Length Password Minimum Age Password History Password Storage Schemes Password Last Change Time Here is a sanitized version of ldap.conf that is used in our current environment: =========================================================================== host ldap1 ldap2 URI ldap://ldap1:389 ldap://ldap2:389 base dc=some,dc=company,dc=com #bind_timelimit 5 #>> bind_timelimit 3 bind_policy soft timelimit 3 #^^ ldap_version 3 pam_lookup_policy yes pam_filter objectclass=posixAccount pam_password md5 nss_base_passwd ou=People,dc=some,dc=company,dc=com?one nss_base_passwd ou=Disabled Users,dc=some,dc=company,dc=com?one nss_base_shadow ou=People,dc=some,dc=company,dc=com?one nss_base_group ou=Groups,dc=some,dc=company,dc=com?one?|(host=\2A)(host=osd) #>> nss_initgroups_ignoreusers root,ldap #^^ ssl start_tls #ssl on tls_cacertdir /etc/openldap/cacerts =========================================================================== Thanks, Daniel Bright
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users