Hi, We have the need to add password (not account) expiration in ldap and I see that sssd supports pwd policies. What's the recommended way of achieving password expiration keeping in mind the following:
* currently there are no shadow attributes defined ( all users have shadowAccount objectclass but no attrs like shadowExpire / shadowMin / shadowMax ) * upon the user logging in , if password is going to expire in a few days, display a message to the user ( pam_account_expired_message , pam_pwd_expiration_warning ? ) * is sssd-1.12.4-47 rpm recommended or better sssd-1.12.5-3 <https://copr-be.cloud.fedoraproject.org/results/lslebodn/sssd-1-12/epel-6-x86_64/sssd-1.12.5-3.fc21/>? I found out the hard way that I need to define shadowExpire to -1 otherwise users get rejected with 'account has expired' message in sssd debug mode but perhaps my settings are wrong. What shadow attributes does sssd look for in the openldap tree ? [pam] ... pam_pwd_expiration_warning = 21 pam_account_expired_message = Account/password expired, please use selfservice portal to change your password and extend account. [domain/LDAP] ... # Account expiration ldap_account_expire_policy = shadow # Password expiration #ldap_pwd_policy = none ldap_pwd_policy = shadow ldap_pwdlockout_dn = cn=default,ou=policies,o=Hostopia,dc=hostopia,dc=com ldap_access_order = filter, expire pwd_expiration_warning = 21 ... Seems that I should be looking at src/providers/ldap/ldap_opts.h & src/providers/ldap/sdap.h . Thank you, Mario Rossi
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org