> > ldap_user_shadow_last_change
> > ldap_user_shadow_min
> > ldap_user_shadow_max
> > ldap_user_shadow_warning
> > ldap_user_shadow_inactive
> > ldap_user_shadow_expire
> >
>
> can you explain how these attributes are interpreted?
They just allow you to specify which attribute in LDAP represents this
attribute for "shadow".
>
> now I only get two estates from the point of view of user: user can
> login or user can't.
>
> I don't get any warning about expiration or any chance to change
> expired passwords.
>
>
> I've opened a bug regarding info on lightdm package because I think
> is client job to understand pam messages:
>
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1009013
>
Yeah, that's likely the case. We mainly test with GDM, which does
support the PAM conversation properly. One thing you can try is
directly
logging in on the console (ctrl-alt-f2) or via SSH. If those both warn
you appropriately, it's a lightdm bug. If they don't, something else
is
wrong. (Please try both, SSH has some gotchas in configuration that
make
it easy for just it to be wrong where other login mechanisms are
correct).
I've been testing with ssh and I got an error when users with 'warning' state
tries to login:
$ ssh cprli0554 -l pepet9
pepet9@cprli0554's password:
Permission denied, please try again.
---
# tail auth.log
Jun 27 12:38:35 cprli0554 sshd[3003]: pam_sss(sshd:auth): authentication failure; logname=
uid=0 euid=0 tty=ssh ruser=
rhost=xxx.example.net user=pepet9
Jun 27 12:38:35 cprli0554 sshd[3003]: pam_sss(sshd:auth): received for user pepet9: 4
(System error)
---
# tail -f sssd_imasmallorca.net.log
(Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [string_to_shadowpw_days] (0x0020):
Input string contains not allowed negative value [-1].
(Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [get_user_dn] (0x0020):
find_password_expiration_attributes failed.
(Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100):
Backend returned: (3, 4, <NULL>) [Internal Error (System error)]
(Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100):
Sending result [
4][example.net]
(Wed Jun 27 12:38:35 2012) [sssd[be[example.net]]] [be_pam_handler_callback] (0x0100):
Sent result [
4][example.net]
---
I'm using standard values, so I didn't change any default setting besides
'ldap_pwd_policy = shadow'
regards,
abosch