On Tue, 2012-06-05 at 12:17 +0200, Angel Bosch wrote:
hi,
I'm not sure if this is sss related, but I can't get passwd policies working.
Is there anyone using shadow attributes for passwd policies?
You should be able to configure this using: ldap_pwd_policy = shadow
Additionally, if any of your shadow attributes are renamed, you can use: ldap_user_shadow_last_change ldap_user_shadow_min ldap_user_shadow_max ldap_user_shadow_warning ldap_user_shadow_inactive ldap_user_shadow_expire
to set them.
Be aware, however, that SSSD will *always* honor server-side password policies if they are available. This is primarily done because shadow attributes are rarely (if ever) properly maintained by the server, and thus the LDAP password policy control is more reliable. So if they disagree, the password policy control will always "win".