Hi,
We have the need to add password (not account) expiration
in ldap and I see that sssd supports pwd policies. What's the
recommended way of achieving password expiration keeping in mind
the following:
* currently there are no shadow attributes defined ( all
users have shadowAccount objectclass but no attrs like
shadowExpire / shadowMin / shadowMax )
* upon the user logging in , if password is going to expire
in a few days, display a message to the user (
pam_account_expired_message , pam_pwd_expiration_warning ? )
* is sssd-1.12.4-47 rpm recommended or better sssd-1.12.5-3
?
I found out the hard way that I need to define shadowExpire
to -1 otherwise users get rejected with 'account has expired'
message in sssd debug mode but perhaps my settings are wrong. What
shadow attributes does sssd look for in the openldap tree ?
[pam]
...
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account/password expired,
please use selfservice portal to change your password and extend
account.
[domain/LDAP]
...
# Account expiration
ldap_account_expire_policy = shadow
# Password expiration
#ldap_pwd_policy = none
ldap_pwd_policy = shadow
ldap_pwdlockout_dn =
cn=default,ou=policies,o=Hostopia,dc=hostopia,dc=com
ldap_access_order = filter, expire
pwd_expiration_warning = 21
...
Seems that I should be looking at
src/providers/ldap/ldap_opts.h & src/providers/ldap/sdap.h .
Thank you,
Mario Rossi