Is it possible to use sssd-ldap (1.16.4-21, CentOS 7.7) with FreeIPA server (4.6.5-11, CentOS 7.7) and have password policy (ldap_access_order=ppolicy) and also account expiration (ldap_account_expire_policy = ipa)? It’s implied that IPA works as why else would “ipa” be an option to ldap_account_expire_policy?
I’m trying this in my lab; can’t get it to work.
Also not perfectly clear from the manual is how to use pwd_expire_policy_reject, pwd_expire_policy_warn, pwd_expire_policy_renew. In the manual, it is written: "Also 'ldap_pwd_policy' must be set to an appropriate password policy.”
What should ldap_pwd_policy be set to for an IPA server?
The docs also say, “for ldap_account_expire_policy=rhds, ipa, 389ds: use the value of ldap_ns_account_lock to check if access is allowed or not.”
On my FreeIPA server, I don’t see the ldap_ns_account_lock attribute set for expired accounts.
Either my reading is deficient or the documentation is. I’d be happy to contribute if I understood. Does anyone have any tips?
thanks,
Chris Paul