Hello everyone,

I am trying to get sssd configured with ldap but having a little bit of trouble. I can successfully authenticate and get all user information and all that basic jazz. However when I set pwdReset in the user's entry on our ldap sssd is not prompting the user to reset their password. It's obvious from the sssd log for the domain (part included below) that sssd sees the attribute in the password policy control but the message is not making it back to PAM.

I have also included the config for the domain including some of my attempts to figure out if this is a configuration issue. Am I missing a setting? Have I found a bug? Whats going on here?

- Seth

>>>> some Pertinent Versions

CentOS 6

sssd 1.12.2

openldap 2.4.39

>>>>>>>>>>>>>>>>>>>>>>>> auth-people log

[find_password_expiration_attributes] (0x4000): No password policy requested.

[simple_bind_send] (0x0100): Executing simple bind as: *****

[simple_bind_send] (0x2000): ldap simple bind sent, msgid = 2

[sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1], ops[0x1410460], ldap[0x1360050]

[sdap_process_result] (0x2000): Trace: ldap_result found nothing!

[sdap_process_result] (0x2000): Trace: sh[0x136a340], connected[1], ops[0x1410460], ldap[0x1360050]

[sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]

[simple_bind_done] (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1].

[simple_bind_done] (0x1000): Password Policy Response: expire [0] grace [-1] error [Password must be changed].

[simple_bind_done] (0x1000): Password was reset. User must set a new password.

[simple_bind_done] (0x0400): Bind result: Success(0), no errmsg set

[auth_bind_user_done] (0x4000): Found ppolicy data, assuming LDAP password policies are active.

[sdap_handle_release] (0x2000): Trace: sh[0x136a340], connected[1], ops[(nil)], ldap[0x1360050], destructor_lock[0], release_memory[0]

[remove_connection_callback] (0x4000): Successfully removed connection callback.

[be_pam_handler_callback] (0x0100): Backend returned: (0, 12, <NULL>) [Success]

[be_pam_handler_callback] (0x0100): Sending result [12][auth-people]

[be_pam_handler_callback] (0x0100): Sent result [12][auth-people]

>>>>>>>>>>>>>>>>>>>>> sssd.conf section for the domain

[domain/auth-people]

ldap_uri = ************

ldap_user_search_base = ou=people,**********

ldap_group_search_base = ou=group,**********

ldap_id_use_start_tls = True

ldap_tls_cacert = /etc/sssd/ca-certificate.pem

id_provider = ldap

auth_provider = ldap

chpass_provider = ldap

access_provider = ldap

selinux_provider = none

ldap_access_filter = (objectClass=posixAccount)

ldap_access_order = filter

debug_level = 0xFFF0

[sssd]

services = nss, pam

config_file_version = 2

domains = auth-people,auth-systemAccounts

debug = 0xFFF0

[nss]

debug_level = 0xFFF0

[pam]

debug_level = 0xFFF0

pam_verbosity = 2