On Tue 27 Nov 2012 03:51:55 PM EST, Iain Morgan wrote:
Hello,
I recently began experimenting with sssd (1.8.0) and have run into an issue with its support for password expiration. Specifically, the case where sssd is configured to use LDAP and the user authenticates via SSH public-key.
If a user connects via ssh to a host which is using sssd and authenticates via a public-key, the only way to enforce password expiration appears to be to set ldap_pwd_policy=shadow. However, sssd will not attempt to change the password when the policy is thus set.
I know that there are those who would argue that password expiration should not be enforced when public-key authentication is used, but that is an organizational policy decision. The expectation for the environment which I deal with is that password expiration should be enforced, and work, regardless of the method used for authentication.
Is there some trick that I have overlooked or is this simply a design limitation? If the shadow map were exposed, pam_unix.so could be used to detect password expiration and pam_sss.so (with ldap_pwd_policy=none) could be used to change the password, but that is not currently the case.
Try setting:
access_provider = ldap ldap_access_order = expire ldap_account_expire_policy = shadow
That should do what you're looking for. It tells the SSSD to honor shadow expiration/locking policy during the PAM_ACCT_MGMT phase. This phase will occur regardless of what authentication mechanism you use.