You need to use: access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = ad
>From sssd-ldap(5): ldap_account_expire_policy (string) With this option a client side evaluation of access control attributes can be enabled. Please note that it is always recommended to use server side access control, i.e. the LDAP server should deny the bind request with a suitable error code even if the password is correct. The following values are allowed: shadow: use the value of ldap_user_shadow_expire to determine if the account is expired. ad: use the value of the 32bit field ldap_user_ad_user_account_control and allow access if the second bit is not set. If the attribute is missing access is granted. Also the expiration time of the account is checked. rhds, ipa, 389ds: use the value of ldap_ns_account_lock to check if access is allowed or not. nds: the values of ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and ldap_user_nds_login_expiration_time are used to check if access is allowed. If both attributes are missing access is granted. This is an experimental feature, please use http://fedorahosted.org/sssd to report any issues. Default: Empty ldap_user_ad_account_expires (string) When using ldap_account_expire_policy=ad, this parameter contains the name of an LDAP attribute storing the expiration time of the account. Default: accountExpires ldap_user_ad_user_account_control (string) When using ldap_account_expire_policy=ad, this parameter contains the name of an LDAP attribute storing the user account control bit field. Default: userAccountControl -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/915386 Title: SSSD/AD 2008 and Password Change To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/915386/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs