ldap_user_shadow_last_change ldap_user_shadow_min ldap_user_shadow_max ldap_user_shadow_warning ldap_user_shadow_inactive ldap_user_shadow_expire
can you explain how these attributes are interpreted?
They just allow you to specify which attribute in LDAP represents this attribute for "shadow".
now I only get two estates from the point of view of user: user can login or user can't.
I don't get any warning about expiration or any chance to change expired passwords.
I've opened a bug regarding info on lightdm package because I think is client job to understand pam messages: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1009013
Yeah, that's likely the case. We mainly test with GDM, which does support the PAM conversation properly. One thing you can try is directly logging in on the console (ctrl-alt-f2) or via SSH. If those both warn you appropriately, it's a lightdm bug. If they don't, something else is wrong. (Please try both, SSH has some gotchas in configuration that make it easy for just it to be wrong where other login mechanisms are correct).
I've been testing with ssh and I got an error when users with 'warning' state tries to login:
$ ssh cprli0554 -l pepet9 pepet9@cprli0554's password: Permission denied, please try again.
---
# tail auth.log Jun 27 12:38:35 cprli0554 sshd[3003]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.example.net user=pepet9 Jun 27 12:38:35 cprli0554 sshd[3003]: pam_sss(sshd:auth): received for user pepet9: 4 (System error)
---
# tail -f sssd_imasmallorca.net.log (Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [string_to_shadowpw_days] (0x0020): Input string contains not allowed negative value [-1]. (Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [get_user_dn] (0x0020): find_password_expiration_attributes failed. (Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, <NULL>) [Internal Error (System error)] (Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sending result [4][example.net] (Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100): Sent result [4][example.net]
---
I'm using standard values, so I didn't change any default setting besides 'ldap_pwd_policy = shadow'
regards,
abosch