Is it possible to use sssd-ldap (1.16.4-21, CentOS 7.7) with FreeIPA server (4.6.5-11, CentOS 7.7) and have password policy (ldap_access_order=ppolicy) and also account expiration (ldap_account_expire_policy = ipa)? It’s implied that IPA works as why else would “ipa” be an option to ldap_account_expire_policy?
I’m trying this in my lab; can’t get it to work.
Also not perfectly clear from the manual is how to use pwd_expire_policy_reject, pwd_expire_policy_warn, pwd_expire_policy_renew. In the manual, it is written: "Also 'ldap_pwd_policy' must be set to an appropriate password policy.”
What should ldap_pwd_policy be set to for an IPA server?
The docs also say, “for ldap_account_expire_policy=rhds, ipa, 389ds: use the value of ldap_ns_account_lock to check if access is allowed or not.”
On my FreeIPA server, I don’t see the ldap_ns_account_lock attribute set for expired accounts.
Either my reading is deficient or the documentation is. I’d be happy to contribute if I understood. Does anyone have any tips?
thanks,
Chris Paul
On Wed, Jan 15, 2020 at 10:59:34PM -0800, Chris Paul wrote:
Is it possible to use sssd-ldap (1.16.4-21, CentOS 7.7) with FreeIPA server (4.6.5-11, CentOS 7.7) and have password policy (ldap_access_order=ppolicy) and also account expiration (ldap_account_expire_policy = ipa)? It’s implied that IPA works as why else would “ipa” be an option to ldap_account_expire_policy?
I’m trying this in my lab; can’t get it to work.
Also not perfectly clear from the manual is how to use pwd_expire_policy_reject, pwd_expire_policy_warn, pwd_expire_policy_renew. In the manual, it is written: "Also 'ldap_pwd_policy' must be set to an appropriate password policy.”
What should ldap_pwd_policy be set to for an IPA server?
The docs also say, “for ldap_account_expire_policy=rhds, ipa, 389ds: use the value of ldap_ns_account_lock to check if access is allowed or not.”
On my FreeIPA server, I don’t see the ldap_ns_account_lock attribute set for expired accounts.
Hi,
'ldap_ns_account_lock' is referring to the SSSD config option
ldap_ns_account_lock (string) When using ldap_account_expire_policy=rhds or equivalent, this parameter determines if access is allowed or not.
Default: nsAccountLock
So please look for the nsAccountLock attribute on the IPA server.
HTH
bye, Sumit
Either my reading is deficient or the documentation is. I’d be happy to contribute if I understood. Does anyone have any tips?
thanks,
Chris Paul _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On 1/16/20 3:51 AM, Sumit Bose wrote:
'ldap_ns_account_lock' is referring to the SSSD config option ldap_ns_account_lock (string) When using ldap_account_expire_policy=rhds or equivalent, this parameter determines if access is allowed or not.
Default: nsAccountLock
So please look for the nsAccountLock attribute on the IPA server.
HTH
bye, Sumit
Hi Sumit,
Thanks for the response. Right, Yes I did check for that. The nsAccountLock attribute will lock out a user but that would be a manual process, not a password policy.
CP
sssd-users@lists.fedorahosted.org