You could expire the account, and not the password. Not the most elegant way, but I could not find any other way to implement password expiry. I did try it a while back on a much older version, so I can't tell if latest code still supports it. All I needed to have in OpenLDAP is shadowExpire and no other "shadow" attributes.
sssd.conf
[pam] .... pam_verbosity = 1 pam_pwd_expiration_warning = 21 pam_account_expired_message = Your LDAP password has expired, please use selfservice portal to change your LDAP password ....
[domain/xyz] .... # SET Account expiration to shadowAccount ldap_account_expire_policy = shadow ldap_user_shadow_expire = shadowExpire # shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo $(($(date --utc --date "$1" +%s)/86400))
# SET Password expiration to none ldap_pwd_policy = none ldap_access_order = filter, expire ....
On 10/31/18 10:26 AM, Bartłomiej Solarz-Niesłuchowski wrote:
Dear List,
On my network we use ldap to "aging" password.
Every user is definied in ldap server (openldap) with 5 attributes:
shadowLastChange: 15308 shadowInactive: 30 shadowMin: 0 shadowMax: 120 shadowWarning: 30
the sssd uses 6 attributes:
shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire
We have NO shadowExpire attribute (in mathematical point of view shadowExpire = shadowLastChange+shadowLastChange).
So how can we use sssd with password "aging" option....?
Best Regards
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...